Australia has moved firmly into the sights of financially motivated criminal groups, according to QBE Insurance Group’s first-quarter 2026 (Q1 2026) cyber threat data, which also shows attacks are reaching critical damage faster than before and that staff manipulation has overtaken purely technical methods as a primary point of entry.
The gap between when an attacker first gains a foothold in a network and when ransomware is deployed has fallen by about 70% since 2021, according to QBE’s data. What used to take close to 100 minutes now takes around 30. In a handful of cases, thousands of devices within a single organisation were encrypted in under 10 minutes. That pace leaves little room for detection or containment. Security teams, incident responders, and insurers dealing with claims are all working against a timeline that has grown considerably tighter over the past five years.
Dominic Keller, global head of cyber services at QBE Insurance, said the change in tempo has broad consequences. “The most striking shift we’re seeing is how quickly cyber incidents now escalate. In many cases, the window between an attacker gaining access and significant disruption is measured in minutes rather than days, which fundamentally changes how organisations need to think about cyber risk,” Keller said. The compression in response time raises questions about how incident response provisions are structured in policies, what triggers coverage, and whether an insured’s internal capabilities are sufficient to act before serious damage occurs.
Cyber activity that was once heavily concentrated in the US has spread across other regions. QBE’s intelligence puts Australia in the top 10 most targeted countries globally, with criminal groups – including newer ones – looking at the Asia-Pacific as a market where competition among threat actors is lower and opportunities are perceived to be greater. “Cyber crime is no longer concentrated in one market or region. Australia and the Asia-Pacific region are increasingly in scope, and attackers are combining technical methods with human-led tactics to increase the scale and impact of incidents,” Keller said. The geographic shift means Australian businesses across sectors face a higher baseline level of exposure than they did even a few years ago – and that insurers writing Australian cyber risk need to account for a threat landscape that has materially changed.
QBE’s Q1 data also points to a rise in pre-encryption data theft. Attackers are pulling out large volumes of sensitive files before triggering ransomware, which gives them leverage in negotiations and creates separate liability for the victim organisation regardless of whether they pay. In one New Zealand case cited in QBE’s report, roughly 1.5 terabytes of data was removed – an amount QBE described as likely representing nearly the organisation’s entire data environment. The volume of stolen data has a direct bearing on claims costs. Larger exfiltrations mean longer and more complex forensic investigations, greater potential for regulatory penalties, and reputational exposure that persists well after systems are back online. That adds up to claims that are harder to close quickly and more difficult to price accurately in advance.
A notable portion of ransomware incidents now involve a voice element – around 11%, according to QBE. Attackers are no longer relying solely on malicious software or compromised credentials; they are calling employees directly, sometimes alongside email phishing or text messages, to impersonate colleagues or IT staff and extract access. In some of these cases, artificial intelligence is being used to replicate the voice of someone the target knows, making the deception harder to detect. The practical effect is that a network’s technical defences can be bypassed through a phone call. “Now more than ever, cyber risk has become a resilience challenge. Preparation, visibility, and the ability to recover quickly are now just as important as prevention,” Keller said.
Government data supports this trend. The Office of the Australian Information Commissioner (OAIC) recorded 532 notifiable data breach notifications in the first half of 2025 – down 10% from the record set in the prior half-year – but human error accounted for 37% of those notifications, up from 29% in the previous period. That means staff actions, rather than technical vulnerabilities alone, were behind more than one in three reported breaches.
Of the 532 notifications received by the OAIC between January and June 2025, 308 – or 59% – stemmed from malicious or criminal activity, with cyber security incidents the most common type. Each cyber-related breach affected an average of just over 10,000 individuals. Health was the sector with the most reported breaches at 18%, followed by finance at 14% and federal government agencies at 13%. The finance figure covers insurers and other financial institutions, making it a relevant benchmark for the industry. IBM’s estimate of the average cost of a data breach in 2024 – $4.26 million – was referenced by the OAIC to illustrate the financial exposure organisations face when a breach occurs.
Keller said the function of cyber cover has broadened. “Effective cyber insurance is not just about what happens after an incident. By helping organisations better understand risk, test decision-making, and prepare leadership teams, insurers can play a meaningful role in reducing disruption and strengthening resilience,” he said. Together, QBE’s threat data and the OAIC's breach statistics describe a market where attacks are faster, data losses are larger, and the human element is increasingly central to how incidents unfold. That combination points to continued pressure on risk assessment, policy design, and claims management in the Australian cyber market.
