Emergence Insurance has released its inaugural Cyber Claims Data Report 2025, offering a comprehensive view of cyber claims trends among small and medium-sized enterprises (SMEs) in Australia and New Zealand.
The report, based on data from Emergence’s internal claims and incident response team, is intended to inform insurance brokers and industry stakeholders about the evolving cyber risk landscape.
The report reveals that the financial impact of cyber incidents on SMEs has continued to grow over the past several years.
Median claim costs have risen each year since 2021, with ransomware claims showing the most significant increase. The average cost of a ransomware incident nearly doubled, rising from $106,500 in 2021 to $207,600 in 2024.
Emergence CEO Troy Filipcevic addressed the report’s results, noting that cybercrime presents an escalating and substantial threat to businesses, with recovery costs potentially reaching millions.
“SMEs are particularly vulnerable – cyber insurance can be the difference between surviving an attack or going bust. Immediate and effective incident response is crucial to mitigating the impact,” he said.
Filipcevic also pointed out that SMEs often lack the in-house cybersecurity resources available to larger organisations, making them more susceptible to the consequences of cyber incidents.
The report identifies business email compromise (BEC) as the leading cause of cyber claims, accounting for nearly half of all incidents in 2024.
Socially engineered theft (SET) follows as the second most frequent claim type, representing 16% of claims.
Blake Baxter, head of claims and incident response at Emergence, said that BEC incidents occur frequently across organisations of all sizes.
“You would think there is a lot of awareness around phishing techniques through workplace cyber training, but many employees are still unaware of how their inadvertent acts can result in a serious cyber incident,” he said.
Healthcare and professional services are highlighted as the sectors most frequently targeted, both in terms of the number and cost of claims.
The sensitivity of personal data and the regularity of financial transactions in these industries are cited as contributing factors.
Separate data from BizCover indicates a significant rise in cyber insurance adoption among Australian SMEs.
Over the past year, policy uptake increased by 50%, and over a three-year period, the number of policies sold to small businesses grew by 85%.
This trend is attributed to greater awareness of the risks associated with cyber incidents, such as business interruption, legal costs, data recovery, and reputational damage.
In response to these developments, the Insurance Council of Australia (ICA) has recommended expanding cybersecurity requirements for businesses, particularly as cyber threats become more sophisticated and artificial intelligence is increasingly used in attacks.
The ICA’s proposals include increased accountability for technology providers, workforce development programs to embed cybersecurity expertise in SMBs, and broader requirements for ransomware incident reporting.
The ICA has also stressed the importance of a national approach that considers the varying capabilities of businesses across different sectors, especially those with limited resources for cybersecurity investment.
