Yes. Insights from the Australian Signals Directorate report highlights the continued and prominent threat of cyberattacks faced by Australian small businesses. Specific cyber incidents affecting small business include phishing, scams and unauthorised access.
Why many small businesses still underestimate the need for cyber insurance
Many small businesses in Australia still believe cyber insurance is something only large organisations need. It’s a common assumption. You might feel your business is too small, too low-profile, or too specialised to attract attention from cyber criminals.
The reality is a little more complicated. Cyber risk doesn’t depend on business size. It depends on how technology is used, how data is stored, and how people interact with systems every day.
This article looks at some of the most common reasons small businesses believe they don’t need cyber insurance, and why those beliefs can leave gaps in a broader risk strategy.
We’re too small to be a target for cyber attacks
This is one of the most common assumptions. Many business owners believe cyber criminals only go after large companies with deep pockets.
The Australian Cyber Security Centre1 reports that small businesses continue to be affected by cyber incidents, often because they have fewer resources dedicated to cybersecurity and recovery planning.
Cyber criminals are not as selective as many people expect. Automated attacks, phishing emails and credential harvesting do not distinguish between a business with ten staff and one with thousands.
We don’t hold sensitive data online
If your business employs people, uses email, invoices clients, stores contact details or processes payments, then it holds data that matters.
This includes employee records, customer details and supplier information. Even when services like IT, cloud services, payroll or HR are outsourced, responsibility for protecting personal information still sits with the business.
The Office of the Australian Information Commissioner2 explains that businesses remain responsible for personal information they collect and hold, regardless of how that information is stored or managed.
A cyber incident does not need to involve large volumes of data to cause disruption. Losing access to systems, email accounts, or accounting software can affect day-to-day operations very quickly.
Our IT provider has this covered
Having IT support in place is an important part of managing cyber risk. Strong security controls, system monitoring and regular updates can reduce the likelihood of an incident and help with recovery.
However, no system is completely immune; even organisations with established security measures experience cyber incidents.
Cyber insurance is not a replacement for IT controls. It sits alongside them, helping address the financial and operational impact if something does go wrong.
The cost of a cyber incident is not always obvious
When people think about cyber incidents, they often focus on data theft or ransomware. In practice, the costs can extend further.
A cyber event may involve:
- Business interruption while systems are restored
- Costs associated with investigating what happened
- Time spent notifying affected parties
- Support to manage reputational impacts
Beyond the immediate losses, cyber incidents can result in financial harm, operational disruption and longer-term impacts on customer trust. Those indirect costs, arising from broader events, are often difficult to quantify.
Many small businesses do not always plan or budget for the full costs of a cyberattack, leaving them vulnerable to significant financial and operational strain after an incident.
Why cyber insurance is part of a broader risk approach
Cyber insurance is a highly effective way of transferring cyber risk. It works alongside preventative controls, staff awareness and incident response planning.
Understanding and measuring cyber exposure can support better decision-making and more informed risk management by identifying gaps and clarifying how a business might respond if an incident occurs.
Cyber insurance can support recovery efforts, but the specific cover that can be arranged depends on the business, the systems it uses and its overall risk profile.
Taking a practical view of cyber risk
For many small businesses, the question is not whether a cyber incident will ever happen, but whether the business is prepared to respond if it does.
Taking time to review how technology is used, how information flows through the business and how incidents would be handled can help avoid surprises later. Cyber insurance is one part of that conversation, alongside risk awareness and planning.
Frequently asked questions
No. Cyber risk is linked to how technology and data are used, not the size of the business.
Yes. Responsibility for data and systems ultimately sits with the business, even when services are outsourced to a managed service provider.
No. Cyber insurance provides financial risk transfer but does not replace security controls.
Common issues include phishing attacks, invoice fraud, email compromise and system outages caused by malicious activity.
Cyber risks are often excluded or limited under traditional policies. Cyber insurance is designed to respond specifically to cyber-related events.
Businesses may have obligations under the Privacy Act and the Notifiable Data Breaches scheme, depending on the circumstances.
In many cases, disruption can happen immediately if systems, email or payment processes are affected.
No. Cyber insurance is not mandatory, but it may form part of a broader risk management approach.
Some policies may respond to cyber extortion scenarios, subject to policy terms and legal considerations.
Cyber insurance may help with certain recovery and response costs, depending on the cover arranged.
Reviewing systems, data handling practices, and incident response plans is a good starting point. Specialist advice can also help identify gaps.
References
[1] Australian Cyber Security Centre, “Results from the Australian Cyber Security Centre Small BusinessSurvey”,
https://www.cyber.gov.au/sites/default/files/2023-03/2023_ACSC_Cyber%20Security%20and%20Australian%20Small%20Businesses%20Survey%20Results_D1.pdf,
accessed 26 January 2026.
[2] Office of the Australian Information Commissioner, “Your privacy rights”, https://www.oaic.gov.au/privacy/your-privacy-rights, accessed 26 January 2026.
Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“Marsh”) arranges the general insurance (i.e. not the Discretionary Trust Arrangement) and is not the insurer. This page contains general information and does not take into account your individual objectives, financial situation or needs. For full details of the terms, conditions and limitations of the covers, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). Any advice or dealing in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) (“JLT”). JGS and JLT are businesses of Marsh McLennan. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions.
LCPA 26/1783