cyber
risk
fair
cyber
risk
insurance
Two numbers from APRA that don't add up
Sam Keogh
On 29 May 2026, the Australian Prudential Regulation Authority released its quarterly general insurance performance statistics. Buried in the cyber line is a story that the rest of the cyber industry has been quietly waiting for.
Cyber insurance is finally working.
The cyber class posted a positive insurance service result for three quarters running — $17 million in September 2025, $10 million in December 2025, $10 million in March 2026. Net claims have stayed low. Loss ratios sit well under the threshold that would trouble underwriters. Capacity is available. Premiums are down roughly 10% across 2025. A line of business that spent most of the early 2020s being labelled “structurally unprofitable” is, on the latest evidence, structurally fine.
And almost no one is buying it.
6,000
Cyber risks written
Australian general insurance, March 2026 quarter
4.78M
Domestic motor risks
Same quarter. Same market. Different sense of urgency.
<0.2%
Of total industry GWP
Cyber as a share of all general insurance premium
In the March 2026 quarter, Australian insurers wrote 6,000 cyber risks. In the same quarter, they wrote 4.78 million domestic motor policies, 3.16 million householders policies, and 5.52 million CTP policies. Cyber gross written premium has never exceeded $73 million in a single quarter. The entire class accounts for less than 0.2% of total industry premium.
A market analyst quoted in Insurance Business called it “a real mystery.” It isn’t. It’s a quantification problem. And it’s the same problem that boards, CISOs, and regulators have been circling for years — now showing up on the balance sheet of an entire insurance line.
What brokers are saying, in their own words
The story doesn’t read like a market failure on the insurer side. It reads like a buyer-side failure to translate cyber risk into a financial argument.
Jeffrey Gonlin, chief underwriter at Emergence Insurance, told Insurance Business:
“When people get animated about businesses not being insured for some natural peril, somehow when it comes to cyber — because it’s less concrete, it seems less real — there’s just no sense of urgency.”
Gerry Power, general manager of Cowbell in Australia, in the same piece:
“For many SMEs, cyber remains an intangible risk. Business owners can easily understand the consequences of a fire, theft or liability claim. Cyber incidents are different. Many SMEs still believe they are too small to be targeted, despite the reality that cyber criminals often view smaller businesses as easier targets with fewer security controls.”
“Intangible.” “Less concrete.” “Less real.” Three insurance professionals describing the same buyer reaction — and naming, without naming it, the missing piece.
Cyber risk is not intangible. It has well-defined frequency distributions, well-documented loss magnitudes, and a published threat history that is broader and richer than most other commercial lines. What’s intangible is the buyer’s representation of it. Most Australian businesses still describe their cyber exposure in colour. Red. Amber. Green. They cannot answer the only question that matters at renewal time: how many dollars of expected annual loss are we transferring to the policy, and how many are we keeping on the balance sheet?
If you can’t answer that question, you cannot justify buying the policy. You cannot justify not buying it either. You default to inertia. And inertia, in this market, looks like 6,000 policies a quarter.
You can’t buy insurance for a risk you can’t price
Insurance is a quantitative trade. Two parties exchange money for a transfer of probability-weighted loss. Both sides need a number.
The underwriter has one. APRA’s data confirms it — cyber claims have stabilised, the modelling is tractable, premiums have moderated to the point that the soft-market headlines write themselves. The underwriter walks into the deal with a defensible expected-loss number and a price.
The buyer walks in with a 5×5 heatmap.
This is the gap. It is not a price gap. It is not an awareness gap — the buyer has read the same Optus, Medibank, and Latitude headlines as everyone else. It is a language gap. The two sides of the trade are using different units of measurement.
| What the buyer brings | What the trade actually needs |
|---|---|
| “Cyber risk is High” on the risk register | An Annual Loss Expectancy in dollars with a confidence interval |
| Vendor-questionnaire scores | Loss-event frequency by attack scenario |
| Compliance posture (Essential Eight, ISO 27001 status) | Loss magnitude per realised incident, broken down by category |
| “Critical assets list” | Quantified exposure per asset, including unscannable systems |
| Last year’s near-misses, narrated | A loss distribution with a 95th-percentile loss the board can react to |
The buyer is being asked a financial question and is answering it in compliance language. Worse, the buyer doesn’t know it. They look at a 10% premium discount and ask, “is that a good deal?” There is no internal number against which “good deal” can be evaluated. The decision defaults to whatever last year’s premium was, plus or minus a discretionary tolerance. That is not insurance procurement. That is haggling.
The “intangible” problem is solved. Most Australian boards just haven’t been told.
Cyber Risk Quantification (CRQ) is the discipline of turning the heatmap into a dollar figure. It is not new. The FAIR framework — Factor Analysis of Information Risk — has been the canonical method for over a decade. What’s new is that the tooling, the data, and the regulatory pressure have all matured at the same time.
A defensible cyber ALE comes from four ingredients, none of them exotic:
An asset and process inventory
IT systems and third-party services mapped to business outcomes the board cares about: revenue, regulated data, operational continuity.
Loss-event scenarios
Per asset — ransomware, data breach, vendor outage, insider misuse, regulatory penalty. Each one with a defined consequence.
Frequency estimates
Grounded in industry breach data, threat intelligence, and structured expert input. Recorded as ranges, not single numbers, so assumptions can be challenged.
Loss-magnitude estimates
Notification costs, downtime per hour, contract penalties, regulator engagement, forensics, reputational damage. The Australian unit economics for each are now well documented.
Run the simulation. Out the other end comes a loss distribution. The buyer now has the same shape of number the underwriter does: an expected annual loss, a 95th-percentile loss, a tail risk. The renewal conversation becomes a math problem instead of a vibe.
What changes when the board sees the number
Three concrete shifts. None of them subtle.
1. The buy / don’t-buy decision becomes defensible either way
When the board sees that the organisation carries, say, $4.2M in expected annual cyber loss with a 95th-percentile tail of $18M, the question “should we transfer $X of that to a policy at a premium of $Y” is suddenly the same kind of question they answer every time they buy property or liability cover. Insurance procurement re-enters the normal capital-allocation framework. The default of inertia breaks.
2. Premium negotiations stop being asymmetric
Underwriting questionnaires currently ask the buyer for technical detail the buyer often cannot answer accurately, then default to conservative pricing assumptions to cover that uncertainty. A buyer who walks in with quantified inputs — control coverage modelled, attack-graph scenarios costed, frequency assumptions disclosed — gives the underwriter better data and earns back the pricing buffer. Premiums get tighter. So do exclusions, because both sides can negotiate against an evidence base.
3. Claim defensibility improves dramatically
The hidden cost of fuzzy risk language shows up at claim time. A policy written against a vague representation of the insured environment is a policy that pays out slowly, partially, or not at all. A policy written against a documented loss-event scenario, with the assumed loss magnitude on the record, is materially harder to dispute. CRQ is, among other things, a paper trail that pays off when it’s needed most.
The AI overlay is making the gap worse, fast
There is a second wave hitting the market on top of all of this, and it widens the same gap.
Power, again, in the Insurance Business article:
“While many existing cyber insurance policies will respond to certain AI-related incidents, there is a growing risk that businesses assume they are covered for exposures that may not have been fully contemplated when those policies were designed. The reality is that AI itself isn’t creating entirely new risks as much as it is amplifying existing ones.”
ASIC and APRA have both flagged AI governance as inadequate across the insurance industry itself. The intersection of AI-amplified exposure and existing cyber wording is exactly the kind of question that gets settled in a courtroom three years after the incident.
An Australian business deploying agentic AI tools — for code review, customer support, finance workflows, internal search — is materially changing its cyber exposure quarterly. A risk register that gets reviewed annually, in colour-coded form, cannot keep up. The exposure changes faster than the assessment cycle. The policy was written against a version of the business that no longer exists.
This is not a hypothetical regulatory worry. It is a live underwriting question that brokers are being asked right now: “will this policy respond to an AI-induced incident?” The honest answer in most cases is “it depends on what the incident actually does, and the policy was written before we knew.”
A quantified exposure model that is updated continuously — assets, threats, controls, and scenarios all live — is the only thing that can keep policy and reality in the same room.
Five actions for any Australian organisation reviewing cyber cover in 2026
1
Ask your broker for the exposure model behind the quoted premium.
Underwriters have a number. Brokers can request it. If your premium is being set against a generic industry baseline rather than your specific exposure, you are paying for someone else’s risk profile.
2
Convert your top three cyber scenarios to ALE before your next renewal.
Pick the three loss events most likely to be material — ransomware, data breach, key-vendor outage are usually the right starting set — and put a dollar figure with a confidence interval on each. This is a week of work, not a quarter.
3
Stop confusing “we have cyber insurance” with “we know what we’re insuring.”
A policy is a financial instrument, not a control. The control is your quantified understanding of what the policy is there to absorb. Without the latter, you are buying paper.
4
Stress-test policy assumptions against your current AI deployment.
If the business deployed agentic AI in the last 12 months and the cyber policy hasn’t been re-examined, the policy is written against a stale exposure. Surface the gap before a claim does.
5
Demand quantified inputs to the underwriting questionnaire.
Where the questionnaire asks for “low / medium / high” descriptions of your control environment, submit numbers instead. Control coverage. Detection coverage. Mean time to contain. Even partial quantification narrows the underwriter’s uncertainty buffer and tightens your pricing.
The bottom line
The 29 May APRA release is the cleanest evidence in years that the supply side of the Australian cyber insurance market is healthy. Insurers have figured out how to price the risk. They have capacity. They are profitable. The product, on the underwriting numbers, works.
The demand side hasn’t caught up because the demand side cannot speak the same language. Six thousand policies a quarter, in a country with hundreds of thousands of digitally-dependent businesses and regulators sharpening enforcement of SOCI, CPS 234, and the Privacy Act, is not a market saturated to its natural ceiling. It is a market with a measurement problem.
CRQ is the bridge. It does three things that no amount of awareness, fear-marketing, or premium discounting will do on its own:
- It gives the buyer a number in the same units the underwriter is using.
- It turns a “cyber is intangible” conversation into a “this is our expected annual loss” conversation.
- It makes the buy / don’t-buy decision a board-level capital-allocation question with a defensible answer either way.
The cyber insurance market in Australia will not stay this small. Either buyers will learn to quantify, or regulators and boards will force the issue, or the next material incident will. The organisations that get there first will buy better cover at better prices, and the organisations that wait will discover at claim time how expensive a vague representation of risk really is.
Math over vibes. It applies to risk registers. It applies to board decks. It applies, very directly, to cyber insurance.
