Cyber exclusions buried in management liability policies have left many Australian small and medium-sized enterprises (SMEs) exposed, just as cyber-triggered claims against company directors have begun to climb. Rather than follow the market and carve the risk out, Sydney-based boutique underwriter Pacific Indemnity Underwriting Solutions (Pacific Indemnity) has written affirmative cyber language into its new management liability cover - a deliberate reversal of an industry habit that has opened a coverage gap at the worst possible moment.
Adam Suplina (pictured), directors and officers (D&O) practice manager at Pacific Indemnity, said most management liability wordings traditionally push cyber exposure into a separate policy that smaller businesses often never buy. The effect, he said, is that a cyber event capable of triggering a director's liability won’t be covered under the policy.
Management liability insurance is a packaged product that combines directors and officers cover with employment practices, statutory liability and crime protection. It is typically bought by private companies rather than the standalone D&O policies favoured by listed entities, and it has become a core part of the protection brokers place for Australian SMEs.
At the heart of the issue is what underwriters call silent cyber - cyber exposure that sits unaddressed inside a policy never designed with cyber in mind, neither clearly covered nor clearly excluded. Many insurers have responded by stripping it out altogether.
"What a lot of policies try to do is ring-fence the silent cyber out of other policies,” said Suplina. “They put cyber exclusions on or don't provide affirmative cover for cyber events that could lead to management liability events.”
The motivation, he explained, is partly commercial and partly about controlling the build-up of risk across two policies covering the same client.
"A lot of policies out there contain cyber exclusions, either because they want clients to buy a standalone cyber policy or they don't want accumulation between a cyber policy and a management liability policy," Suplina said.
This type of exposure is far from theoretical. The Australian Signals Directorate (ASD) reported in its Annual Cyber Threat Report 2024–25 that the average self-reported cost of cybercrime for a small business rose 14% to $56,600, while medium businesses faced an average of $97,200, up 55%. Business email compromise and identity fraud remained among the most reported categories - both of which lean heavily on social engineering.
Social engineering or fraud in which an attacker impersonates a trusted contact to trick staff into transferring funds or handing over data, is precisely the kind of event that can spill into a director's world and surface as a governance or privacy claim. Suplina said this is a big component of the cyber risk facing SMEs.
"We've gone the other way and tried to put in some affirming language saying that just because you have a cyber event, it's not going to preclude you from having a management liability claim under our policy,” said Suplina. “Especially with things like social engineering and the privacy concerns around that.”
A convergence of trends is showing up across the market, with brokers reporting that the uptake of cyber insurance among Australian SMEs is climbing as attacks, regulation and contractual demands all push smaller businesses to take the threat seriously.
Pacific Indemnity's position runs against the prevailing market logic, deliberately keeping cyber-related exposures inside the management liability wording rather than fencing them out.
"This is making sure we're giving cover where some others are ring-fencing cyber exposures in cyber policies – we're allowing our policy to still have those exposures to cyber," Suplina said.
The product, backed by AXA XL and aimed squarely at the SME and mid-market segment, arrives against a tightening regulatory backdrop. Reforms to the Privacy Act 1988 are being rolled out across 2026 and 2027, extending obligations to a wider range of smaller businesses and raising the expectation that boards can demonstrate active data protection rather than paper compliance alone.
For brokers, a management liability policy that silently excludes cyber may leave an SME client believing they are protected against governance and privacy claims that, in reality, sit outside the wording. The question of where one policy ends and another begins is becoming harder and more consequential to answer.
