Gallagher has outlined a widening set of cyber breach and privacy obligations facing Australian organisations, and the potential implications for insurers, brokers, and underwriters. In its latest insight, Gallagher notes that under the Privacy Act, entities that hold personal information and fall within the act’s scope must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs or is suspected. The notifiable data breach regime has applied since early 2018 and continues to shape regulatory expectations around incident detection, assessment, and communication.
The Privacy Act generally applies to businesses with annual turnover of $3 million or more, private health service providers, credit reporting bodies and credit providers, and entities that trade in personal information or handle tax file numbers. For insurance professionals, these thresholds help identify which clients are subject to mandatory notification and the likely frequency and severity of cyber-related claims.
From May 2025, the regulatory perimeter was extended to the handling of ransomware incidents. Businesses with revenue above $3 million, as well as entities captured by the Security of Critical Infrastructure Act 2018 (SOCI), are required to notify the Australian Signals Directorate (ASD) within 72 hours of making a ransomware payment. SOCI applies to owners and operators of critical infrastructure assets in sectors including energy, water, and telecommunications. Those entities must register specified assets, operate a risk management program, and report cyber incidents.
Under the ransomware notification requirements, affected organisations must disclose whether they used a third-party ransom negotiator, the value of any ransom demand, and the nature of their communications with the threat actor. Failure to comply can result in civil penalties of up to $19,800, along with greater regulatory scrutiny and reputational impact. The regime applies to payments made in response to cybersecurity incidents that directly or indirectly affect the business. These obligations intersect with cyber policy conditions around ransom, notification, and cooperation, and may influence how incident response protocols and governance arrangements are assessed in underwriting.
Gallagher also points to the introduction of a Statutory Tort of Privacy in June 2025, which creates an avenue for individuals to seek redress for serious privacy breaches where an organisation’s conduct is deliberate or reckless. Available remedies include compensatory damages (including for emotional harm), injunctions, apologies, and orders for data destruction. Cyber policies may respond to some of these liabilities within third-party coverage, but treatment of emotional distress and other non-financial loss varies between insurers, prompting closer attention to policy wording for clients with significant privacy exposure.
Australian financial services licence (AFSL) holders are under continued scrutiny regarding cyber security and operational risk, including obligations linked to operational resilience. The Australian Securities and Investments Commission (ASIC) has brought enforcement proceedings in cases where it considers cyber controls and continuity planning to be inadequate. Actions involving FIIG Securities and Fortnum Private Wealth highlight regulator expectations that AFSL holders identify and manage operational risks, maintain critical operations during disruption, and exercise effective oversight of key service providers. For insurance professionals, these developments influence both licensee compliance obligations and the assessment of cyber and operational risk in financial services clients.
Gallagher’s commentary cites several recent enforcement and litigation matters:
These matters are being monitored by insurers as indicators of enforcement appetite, potential claim severity, and sector-specific risk considerations.
Gallagher’s analysis is framed against the OAIC’s Notifiable Data Breaches (NDB) report for January to June 2025. The OAIC recorded 532 notifications in that period, a 10% decline compared with the previous six months, when reports reached a record high. Malicious or criminal attacks accounted for 59% of notifications (308 incidents), with cyber security incidents the predominant driver within that category. Over the same six months, an average of just over 10,000 individuals was affected per cyber incident, signalling the potential aggregation of exposure in larger breaches. The health sector reported the largest share of incidents at 18%, followed by the finance sector at 14% and Australian government agencies at 13%.
The OAIC also reported an increase in breaches linked to human error, which made up 37% of all notifications (193 incidents), up from 29% in the previous reporting period. The regulator concluded that “the human factor continues to pose a notable threat to the strength of an organisation’s personal information security, regardless of how secure its systems are.” IBM’s 2024 benchmarking, cited in the commentary, placed the average cost of a data breach to a business at US$4.26 million. In this context, cyber insurance is presented as one element of a broader risk approach that includes detection capabilities, incident response planning, staff training, and alignment of coverage terms with evolving Australian privacy and cyber regulation.
