Cybercrime in Australia is no longer a large-company problem. The businesses being hit hardest are small and mid-sized — and the most common attacks don’t require sophisticated technology to pull off.
There’s a persistent belief in the SME market that cyber attacks are something that happens to banks, hospitals, and listed companies. That cybercriminals are looking for the big targets with the valuable data, and that a business with 20 or 50 or 100 employees simply isn’t worth their attention.
The data tells a different story. Small and medium businesses are disproportionately targeted precisely because they tend to have weaker defences, less mature incident response capability, and often hold more valuable data — client information, financial records, payment credentials — than their size would suggest.
The attacks themselves are also far less technical than most people imagine. The most costly cyber incidents affecting Australian businesses right now don’t involve exotic malware or state-sponsored hackers. They involve a convincing email, a moment of distraction, and a wire transfer that can’t be reversed.
The threats that are actually hitting Australian businesses
Business Email Compromise (BEC)
Business Email Compromise is currently the single largest source of cyber-related financial loss for Australian businesses, and it requires no hacking in the conventional sense. A criminal monitors email traffic — often through a compromised account that goes undetected for weeks — and at the right moment sends a message impersonating a supplier, executive, or lawyer, redirecting a payment to a fraudulent account.
By the time the fraud is discovered, the funds are typically gone. International transfers to mule accounts are rarely recovered, and the business’s own bank has limited liability once a payment instruction was authorised — even if that instruction was fraudulent.
Scenario: A construction business receives an email from what appears to be their quantity surveyor’s address, advising that their banking details have changed ahead of a $220,000 progress payment. The email address is one character different from the real one. The payment is made on a Friday afternoon. The fraud is discovered the following Monday. The funds are not recovered. Cyber insurance responds to this loss under a funds transfer fraud provision — a standard policy without this extension does not.
Ransomware
Ransomware encrypts the files on your systems — or your entire network — and demands payment, typically in cryptocurrency, for the decryption key. Modern ransomware attacks are frequently combined with data exfiltration: the criminals extract your data before encrypting it, and threaten to publish it if you don’t pay, creating dual pressure regardless of whether you have backups.
For businesses that rely on operational continuity — hospitality, retail, logistics, professional services — the cost of being locked out of systems for even 48 to 72 hours can be substantial. Add the cost of forensic investigation, legal advice, regulatory notification, and potential ransom payment, and a mid-sized ransomware incident can easily reach six figures.
Phishing and credential theft
Phishing emails trick employees into entering login credentials on fake websites, or into clicking links that install malware. Once a set of credentials is compromised — an email password, a cloud storage login, an accounting system access — the attacker has a foothold that can be exploited immediately or held and sold. Multi-factor authentication (MFA) is the single most effective defence against credential-based attacks, but adoption in the SME market remains inconsistent.
Invoice fraud and payment redirection
Similar in effect to BEC but often simpler in execution: fraudulent invoices, or real invoices with banking details replaced, are submitted to accounts payable teams. In businesses where payment approval processes aren’t robust, these can pass through undetected. This is particularly common in industries with high invoice volumes and multiple suppliers — construction, hospitality, and professional services.
What cyber insurance actually covers
Cyber insurance policies vary considerably in scope and quality, and the market has evolved rapidly over the past five years. A well-structured policy addresses both your own costs arising from an incident (first-party cover) and claims made against you by others (third-party liability). Key coverage areas include:
First-party covers
- Incident response costs — forensic investigation to identify the nature and scope of the breach, containment, and remediation
- Legal advice — guidance on your obligations under the Privacy Act, the Notifiable Data Breaches scheme, and any other applicable regulatory framework
- Crisis communications and PR — managing the reputational impact of a breach, particularly where clients or the public need to be notified
- Business interruption — revenue losses and additional operating costs incurred while systems are restored following a covered cyber event
- Data restoration — costs to recover or recreate data that has been encrypted, corrupted, or destroyed
- Ransomware and extortion response — specialist negotiation support and, where legally permissible, ransom payments
- Funds transfer fraud — recovery of financial losses arising from fraudulent payment instructions where a cyber event was the proximate cause
Third-party covers
- Privacy liability — claims by individuals whose personal data was compromised as a result of a breach you suffered
- Regulatory defence — costs of responding to an investigation or action by the Office of the Australian Information Commissioner (OAIC) or other regulators
- Network security liability — claims by third parties who suffered losses because a cyber event on your network affected them
Coverage gap to watch: Many general business insurance policies include a cyber exclusion, or provide only limited cover for cyber-related losses under a crime or property section. It’s worth checking whether your existing program has meaningful cyber coverage — or whether what looks like protection is actually an exclusion dressed up as a sublimit.
What insurers are looking for — and why it matters
The cyber insurance market has tightened significantly since 2020. Insurers now conduct more detailed underwriting assessments, and the presence or absence of basic security controls directly affects both the availability of cover and the premium charged.
Controls that underwriters assess include:
- Multi-factor authentication (MFA) — particularly for email, remote access, and financial systems. This is now effectively a baseline requirement for most insurers
- Endpoint detection and response (EDR) — active monitoring of devices for signs of compromise, as distinct from traditional antivirus software
- Regular, tested backups stored offline or in an isolated environment — backups connected to the same network as the primary systems are vulnerable to the same ransomware attack
- Patch management — keeping operating systems and software up to date to close known vulnerabilities
- Staff training — regular awareness training, particularly around phishing and social engineering
- Incident response planning — a documented plan for what to do in the first hours of a cyber incident, including who to call
The practical implication is twofold. Businesses with stronger security postures pay lower premiums and access broader coverage. Businesses with material gaps — particularly around MFA — may find cover restricted or premiums significantly elevated.
At Rumble Insurance, we work with clients ahead of renewal to understand their security posture and, where there are gaps, to address them before approaching the market. This isn’t about ticking boxes for the insurer’s benefit — it’s about making sure the coverage obtained is genuine and that the business is in a defensible position if a claim is made.
A note on HNW individuals and personal cyber risk
Cyber risk isn’t limited to businesses. High net worth individuals are increasingly targeted through personal email compromise, social engineering attacks directed at family members, and fraud schemes targeting investment accounts, property transactions, and online banking.
Conveyancing fraud — where criminals intercept communication between a buyer and their solicitor and redirect settlement funds — has cost Australian property buyers millions of dollars in recent years. The funds are rarely recovered and the bank and solicitor rarely carry liability.
Personal cyber insurance is available as a standalone product or as an extension to a prestige home and contents policy. For clients managing significant personal wealth, investment activity, or property transactions, it deserves consideration alongside the more conventional elements of a personal insurance program.
Questions to consider
- If a payment instruction arrived by email tomorrow with updated banking details, what is your process for verifying it before funds are released?
- Do all staff with access to financial systems or client data use multi-factor authentication?
- When did you last test your backups — not just confirm they exist, but actually restore from them?
- If your systems were encrypted tonight, do you know who to call and what to do in the first two hours?
- Does your current insurance program have meaningful, specific cyber coverage — or does it rely on a general property or crime section that may exclude cyber-related losses?
These are uncomfortable questions, but they’re far more comfortable to answer now than in the middle of an incident.
Talk to Rumble Insurance about cyber coverage for your business → 0457 884 185 | [email protected]