Cyber Insurance
Made Simple

Protect your business from evolving digital threats with tailored cyber insurance built around your unique risks.
Why is cyber risk important

Why is cyber risk important?

Cyber-attacks are one of the fastest-growing risks for Australian businesses. In FY2023–24, over 87,400 cybercrime reports were made, an average of one every six minutes.

Phishing, ransomware, invoice scams, and social engineering have become everyday threats, capable of halting operations, compromising data, and damaging hard-earned reputations.

At MGA Insurance Group, we understand how critical it is to safeguard your business against this evolving digital landscape.

About cyber insurance/claims

About cyber insurance

Australian businesses face ongoing exposure to evolving attack types such as:

  • Business email compromise (BEC) – deceptive payment redirection and fake invoices
  • Ransomware – malicious encryption of files and systems
  • Phishing – fraudulent messages designed to steal credentials or data
  • Credential theft – unauthorised access using stolen passwords
  • Online banking fraud – fraudulent transactions targeting business accounts

In 2023–24, BEC scams alone caused $84 million in reported financial losses — highlighting the need for strong preventative measures and insurance protection.


How do i protect myself

How do I protect myself?

At MGA, we don’t just insure cyber risk, we help you manage it. Through our specialised provider VICyber, we offer a proactive three-step process to strengthen your cyber resilience before an incident occurs:

Step 1: Scan & Score

A non-intrusive scan of publicly accessible assets evaluates your digital environment and assigns a cyber health score. This process identifies vulnerabilities early, helping your business understand its current level of cyber exposure.

Step 2: Review & Remediate

We analyse results and assist in addressing vulnerabilities. You can act independently or use our guidance to strengthen weak points and reduce your exposure to cyber threats.

Step 3: Insure with Confidence

Once vulnerabilities are addressed, MGA brokers secure tailored insurance coverage that reflects your strengthened cyber profile. With a solid defence in place, insurers can offer broader coverage and more competitive pricing — meaning stronger protection and better value.


Our cyber insurance solutions are built to help you detect, respond, and recover, because in cyber defence, every second counts.


cybercrime losses

Australian Cyber Security Center 2024-25

Small Business

$56,600

2024-2025

$49K+

2023-2024

$46K+

2022-2023

Medium Business

$97,200

2024-2025

$62K+

2023-2024

$97K+

2022-2023

Large Business

$202,700

2024-2025

$63K+

2023-2024

$71K+

2022-2023

Average
Losses

Small Business

$56,600

2024-2025

$49K+

2023-2024

$46K+

2022-2023

Medium Business

$97,200

2024-2025

$62K+

2023-2024

$97K+

2022-2023

Large Business

$202,700

2024-2025

$63K+

2023-2024

$71K+

2022-2023

The majority of reports were from small businesses, and the impact on business is significant.

According to the Australian Bureau of Statistics, 92.6% of businesses turn over less than $2 million.

Source: ASD Cyber Threat Report

When it comes to Cyber Attacks, every second counts

MGA’s cyber insurance solutions go beyond standard coverage. We design policies that reflect the realities of modern digital operations and provide access to expert support when incidents occur.

Coverage can include:

  • Incident response and recovery – forensic investigation, data restoration, and system rebuild.
  • Business interruption – cover for lost income and operating expenses during downtime
  • Ransomware and cyber extortion – financial and negotiation support during extortion events
  • Regulatory compliance – assistance meeting Notifiable Data Breaches Scheme obligations
  • Reputation management – communications and PR support to rebuild client trust
  • Social engineering protection – cover for losses caused by deceptive or fraudulent activity
Contact Us
When it comes to cyber attacks, every second counts

Cyber Risk Series
Protecting Your Business in the Digital Age

In this five-part series, MGA Insurance Group explores the growing threat of cybercrime and how businesses can strengthen their defence. Hosted by Kim with expert insight from Jerry Power, each episode delves into a key area of cybersecurity, covering awareness, the financial impact of attacks, practical prevention measures, and the vital role of cyber insurance in helping businesses recover when every second counts.

Part 1 - Understanding Cyber Risk

Topic: What cyber risk means for Australian businesses

The series begins by unpacking what “cyber risk” really is and why it matters to every business, regardless of size. Jerry Power explains that cybercrime is not just an IT problem but a business-wide issue that affects finances, operations, and reputation. The discussion highlights how everyday activities — emails, online payments, and cloud storage — can expose organisations to serious threats. The key message: awareness is the first step in managing cyber risk effectively.

Show Transcript

Cyber Risk Series – Episode 1 Transcript
Brought to you by MGA Insurance Group

Kim: Well hello everybody, and welcome to the Cyber Risk Series, brought to you by the MGA Insurance Group. I’m joined by Jerry Powell, who brings a wealth of experience. Welcome Jerry, thank you.

Jerry: Thank you.

Kim: You are a cyber expert — some decades now, is it? How many decades is it now?

Jerry: Yes, I’ve been focused on technology for over 20 years. When you think about cybercrime 10 years ago, it really wasn’t something that was in the headlines. But now, we can’t escape it. It’s certainly been making headlines around Australia, particularly over these last couple of years.

Kim: Why is that?

Jerry: The cyber risk landscape is constantly changing, and that’s shaped by advancements in technology, the evolving tactics of cyber criminals, and the increasing reliance on IT systems. And I think one of the key concerns is that really any business could be a potential target.

Kim: Absolutely.

Jerry: So the cyber criminals of today have no interest in who you are or what your industry is. What they want to do is monetise — to attack and make money. They’ll invest time and money to gain entry into a system, and they will sit and wait, watching the tone and behaviour of a business over potentially six or nine months. They’ll study how things operate — how payments are made, how a CEO communicates with the CFO. Understanding how the business operates allows the cyber criminal to cleverly craft how and when they’re going to launch their attack.

Kim: When they do, it’s fair to say this is not just technological warfare — this is psychological warfare.

Jerry: That’s correct. The sophisticated cyber criminals out there are part of global organisations. Their skill sets and financial capability are immense. They have not only technological skills but also psychological skills — they understand human behaviour, and they exploit that to gain access and trust. They understand how clever we think we are with our passwords. They know that an “e” will be changed to an ampersand, or that we’ll put a “1” after our password, and then make it a “2” — they’re all over this. They understand psychology and who they’re targeting. Like when we look at businesses and the nature of industries —

Kim: Is there traditionally a particular industry or organisation type that a cyber criminal would attack?

Jerry: In Australia, professional services, financial institutions, and healthcare have been the main industries targeted for complex cyber risk. But we’re seeing a change — industries that haven’t traditionally been at risk are now becoming attractive to cyber criminals. We’re talking about industries like manufacturing, construction, and farming, for example.

Kim: It’s equally fascinating and terrifying, Jerry. Thank you so much for joining me for Part 1 of the Cyber Risk Series, brought to you by the MGA Insurance Group. Our next part in this series will look at what types of industries and businesses are being targeted — particularly small businesses — and how you can protect yourself from cyber criminals. Thanks so much for joining us.

Part 2 - The Cost of Cyber Attacks

Topic: The financial and operational impact of a breach

This episode focuses on the real-world cost of cyber incidents. Jerry explains that the damage goes far beyond the immediate ransom or data loss, often including business interruption, lost income, legal costs, and reputational damage. Kim and Jerry discuss examples of small and medium-sized enterprises (SMEs) that have struggled to recover after an attack. The key takeaway: prevention and preparedness are far less costly than recovery.

Show Transcript

Cyber Risk Series – Part 2 Transcript
Brought to you by MGA Insurance Group

Kim: Hello again, and welcome back to Part 2 of our five-part Cyber Risk Series, brought to you by MGA Insurance Group. I’m joined once again by cyber-security guru Jerry Power, and today we’re turning our attention to small business. It’s the global and national companies that have hit the headlines in recent times — but are small businesses just as at risk of a cyber-attack?

Jerry: Kim, from a cyber-risk perspective, we’re seeing Australian SMEs targeted for a number of reasons. Some of the observations are that SMEs generally have limited cyber-security controls and limited financial resources compared to large enterprises. Yet they still hold valuable data — credit-card details, personal information, intellectual property — and all of that can be monetised by cyber criminals. The criminals know exactly what they’re after.

Kim: What are some of the particular areas of potential damage for a small business?

Jerry: There are a number of areas. Firstly, ransomware and extortion attacks — these can cripple a business. Then there’s the cost of dealing with the aftermath: IT forensics, IT remediation, and figuring out how to get the criminals out of the system. There may also be a regulatory requirement for the company to advise customers that their personal information is now in the hands of criminals.

Kim: Is it fair to say one of the biggest Achilles heels for small business operators is this sense of blind faith — that “it’s not going to happen to me”?

Jerry: Exactly. Many small businesses think, “I’m too small,” or “I don’t have anything of value.” But the reality is, the criminals don’t care who you are or what industry you’re in — they’re looking for an opportunity. They want to lock somebody down, demand a ransom, get paid, and move on. There are different categories and levels of expertise among cyber criminals, and some are incredibly sophisticated.

Kim: So considering how advanced these criminals are, that same blind faith small businesses place in their IT providers — “they’ve got my back, it’ll be fine” — could that be leaving them exposed?

Jerry: I think very much so. The whole existence of a business can be at risk. I’ve insured technology industries for professional negligence for over 20 years, and they’re very good at contractual management — they’ll often have clauses limiting their liability or waiving liability for any loss.

Kim: I understand one of the biggest risks — possibly the most common area you’re seeing — is this wrongful payment of invoices?

Jerry: That’s right. What you’re referring to there is phishing or social-engineering attacks, where a criminal sends a deceptive email. They then use that to extract money from the business. The challenge for a business owner is that sometimes the criminal will use the invoicing system of the business itself to send a fake invoice to a customer. But the money is then directed straight to the criminal enterprise. The challenge for the business owner is that they still have an outstanding debt that hasn’t actually been paid. The customer, meanwhile, is pointing the finger at the business owner, saying, “I’ve paid it — but you’ve allowed criminals into your system.” That can potentially lead to litigation — and of course, more cost with that litigation.

Kim: Absolutely. And I suppose the moral of the story here is that we shouldn’t underestimate the sophistication of cyber criminals — no matter how big or small your business may be.

Jerry: Absolutely. If they want to extract money, they’ll use every skill and tactic available to do that.

Kim: That’s sobering, Jerry. But we’ve got some good news coming up in our next episode. In Part 3, we’ll help you identify the categories of cyber risk and what you can do to manage them. But thank you again for joining us today, Jerry — and thank you for joining us for Part 2 of the Cyber Risk Series, brought to you by MGA Insurance Group.

Part 3 - Managing Cyber Risk in Your Business

Topic: Steps to protect your organisation

Kim and Jerry explore practical strategies for managing cyber risk. They discuss how strong passwords, multi-factor authentication, regular backups, and staff training can make a major difference. Jerry emphasises that cybersecurity isn’t only about technology — it’s about culture. Every employee plays a role in keeping data secure. The episode reinforces that proactive risk management is the foundation of effective cyber protection.

Show Transcript

Cyber Risk Series – Part 3 Transcript
Brought to you by MGA Insurance Group

Kim: Hello everyone, and welcome back to the Cyber Risk Series, proudly brought to you by the MGA Insurance Group. Today we’re going to look at the different categories of risk. I’m joined once again by Jerry Power — with a decade of expertise under your belt, Jerry. What are the types or categories of risk that an organisation and its employees should be considering?

Jerry: Kim, when you talk about risk — particularly cyber risk for business — there are really two main categories. There’s people or employee risk, and there’s system risk.

Kim: You are a cyber expert — some decades now, is it? How many decades is it now?

Jerry: Yes, I’ve been focused on technology for over 20 years. When you think about cybercrime 10 years ago, it really wasn’t something that was in the headlines. But now, we can’t escape it. It’s certainly been making headlines around Australia, particularly over these last couple of years.

Kim: So tell us about the people risk.

Jerry: Obviously, there’s that unpredictability of people — we’re all guilty of making mistakes, and sometimes those mistakes can have dire consequences. When we talk about people risk, we’re referring to the weaknesses that stem from people’s actions, behaviours, or lack of awareness or training that could potentially expose the business.

Kim: So the sort of things you’re talking about are phishing and social-engineering attacks — where employees are tricked or deceived into clicking on an email or opening an attachment that deploys ransomware into the business.

Jerry: Exactly. These cyber criminals literally “fish” — they infiltrate, wait for months, and study communication styles and tones to understand how a business interacts. They work on human behaviour and psychology, using that knowledge to make their scams look real and authentic. What they’re trying to do is make something appear completely legitimate — but it’s actually a fake email or even a fake website. For example, they might use a Greek letter “a” instead of an English “a” in a web address — it looks identical, but it’s not.

Kim: That’s mind-blowing. I’ll be the first to admit I’m not particularly good at this — I think I’ll be reviewing my passwords after this conversation!

Jerry: You’re not alone. Passwords are another major quagmire for business. Weak passwords are a constant issue — people often reuse the same password across multiple applications. The same login they use for work might also be used for their personal banking.

Kim: So what’s the difference between, say, an average 8-character password and a 16-character one?

Jerry: It’s quite extraordinary. One of my IT colleagues tells me that if a password is only eight characters long, their team can hack it in about 20 seconds. But a password — or better yet, a passphrase — of 16 characters could take over 20 years to crack. That’s the kind of difference that length and complexity can make.

Kim: Wow — so, we’ve talked about people risk, which is one side of the equation. What’s the other?

Jerry: Another key element of risk for any business is system risk. This refers to the weaknesses or vulnerabilities within the IT systems of a business — whether that’s servers, software, or cloud infrastructure.

Kim: And you’ve said before that too often, business owners and operators fall into the trap of thinking, “It’s okay — my IT group has my back.”

Jerry: Exactly. And that’s not always good enough. Businesses can be laying themselves bare to vulnerability without realising it. It’s a big challenge for SMEs in particular, because they often have absolute faith in their IT provider or the cloud-based systems they use. The reality is, those systems — especially cloud-based ones — can and do get hacked. Having insured the technology sector for professional negligence for over 20 years, I’ve seen providers impose limitations or waivers of liability in their contracts to reduce their own exposure. That means, if one of their clients suffers a cyber attack, the IT provider might not be held responsible for the financial impact.

Kim: Would you say one type of risk is more dangerous than the other?

Jerry: That’s a great question. With the dramatic escalation in the amount of malicious software — viruses, Trojans, and so on — system risk is certainly severe. But people risk remains just as critical, because even the best systems can’t defend against human error. The truth is, businesses need to be mindful of both. Make sure your employees are well trained, that they act as an effective last line of defence, and that your systems are secure and your software is always up to date.

Kim: Absolutely — some great advice there, Jerry. And we’re going to build on that in our next part of the series. Thank you again for joining us for Part 3 of the Cyber Risk Series, brought to you by MGA Insurance Group. In our next part, we’ll be looking at how you can protect yourself and your organisation — so it’s not all doom and gloom. We’ve got some great advice coming your way, so thank you again for joining us.

Part 4 - Prevention and Response

Topic: How to prepare for and respond to an attack

This part examines the importance of early detection, quick action, and clear communication when a cyber incident occurs. Jerry outlines how having an incident response plan and working with cyber specialists can significantly reduce the impact. The conversation highlights the value of staff awareness, noting that most breaches start with human error. The message: a well-prepared team can prevent small issues from becoming major crises.

Show Transcript

Cyber Risk Series – Part 4 Transcript
Brought to you by MGA Insurance Group

Kim: Hello again, and welcome back to our Cyber Risk Series, brought to you by MGA Insurance Group. I’m once again joined by cybersecurity expert Jerry Power. Jerry, we’ve talked about the various types of risk, and we’ve talked about some of the businesses that are most at risk in Australia. But how can organisations better protect themselves against cyber fraud and cyber attacks?

Jerry: According to cyber insurance claims managers, there are a number of things that small businesses can do to improve their security posture and reduce the potential for a cyber attack. We’re talking about things like backups — daily backups are critically important, and they substantially reduce the cost of a cyber attack. You’ve got securing data and systems, so update your systems on a regular basis to deal with any known vulnerabilities or weaknesses within systems. Then there’s using multi-factor authentication (MFA or 2MFA) — that can be the difference between having a cyber attack and not having one. Replacing passwords with passphrases or password managers is also key — it’s a more efficient and protected way of storing passwords. Finally, educating your staff — I can’t emphasise this enough. Employees are your last line of defence, so make them an effective one. Train them to spot phishing emails and social engineering attacks — that’s how you protect your business.

Kim: Because I guess when you’re looking at those layers of protection, it’s the unpredictability of people that can be the biggest hurdle.

Jerry: Very much so — and that speaks directly to the human risk. As a business owner, you need to have your employees and your systems defending the business 24 hours a day, 7 days a week, 365 days of the year. A cybercriminal only needs to get lucky once to get into your system.

Kim: How can organisations best protect their bottom line then?

Jerry: Well, we’ve talked about the different types of people risk and system risk — and a combination of both definitely helps the organisation. Having an incident response plan, which is like a playbook outlining how to deal with an attack, is also crucial. If all the controls of the business fail, there should be a cyber insurance policy there to protect the business.

Kim: So, if you had one piece of advice today for small business operators watching this, what would it be?

Jerry: The area for small business that I’m most concerned about is the social engineering risk and the payment of fake invoices. If a business is paying an invoice — validate the invoice. Ring a person within the business from a known contact and a known telephone number. Don’t use the phone number in the email — that could be a fake email that connects you directly to the threat actors or criminals.

Kim: Fantastic advice, Jerry. Thanks so much for once again joining us for our Cyber Risk Series. We’ll be wrapping up the series with our next and final Part 5, which will look at cyber insurance — and why it’s so important in helping you better protect your business. This series is proudly brought to you by MGA Insurance Group. Thank you once again for joining us.

Part 5 - Cyber Insurance Explained

Topic: How insurance supports recovery and resilience

The final episode looks at cyber insurance as an essential layer of protection. Jerry explains how policies can cover expenses like business interruption, ransom demands, data recovery, and regulatory obligations under the Notifiable Data Breaches Scheme. Kim and Jerry also discuss invoice fraud, social engineering scams, and the importance of employee education. The episode concludes that cyber insurance not only helps businesses recover financially but also provides expert support when every second counts.

Show Transcript

Cyber Risk Series – Part 5 Transcript
Brought to you by MGA Insurance Group

Kim: Hello everybody, and welcome to the final part in our Cyber Risk Series, brought to you by MGA Insurance Group. Today, we’re going to discuss cyber insurance with expert Jerry Power.

Jerry: Thanks, Kim. Over the past four parts of this series, we’ve talked about what cyber risk is and how we can protect ourselves — but can we actually use cyber insurance as that added layer of protection? Yes — a cyber insurance policy provides a mechanism for small and medium-sized enterprises (SMEs) to deal with the significant costs associated with a cyber attack. It’s a costly business, and there are a lot of hidden costs involved — not just the obvious ransom or financial demand that an organisation might be facing. When you think about the life cycle of a cyber attack, every second counts. A cyber insurance policy is designed to deal with multiple elements of an incident. For example, in a ransomware event, the payment or extortion demand is only the first part of the issue. There will be a demand, typically in cryptocurrency, but after that, you need to extract the malware, rebuild the systems, and comply with regulations like Australia’s Notifiable Data Breaches Scheme. This requires notifying individuals whose personal information has been compromised, reporting to regulators, and responding to investigations — all of which are costly to manage.

Kim: That’s a lot to handle — and those costs must add up quickly.

Jerry: Absolutely. Beyond the technical recovery, you’ve got communication costs, regulatory notifications, and the risk of reputational damage. When you say every second counts, that’s no exaggeration. If a cyber attack is exposed, the business faces enormous costs — including the loss of clients, income, and the additional expense of managing operations during recovery.

Kim: Can insurance actually cover those types of losses?

Jerry: Yes, it can. Cyber insurance can cover loss of business income, increased operating costs, and even situations where people are scammed into paying falsified invoices — which is unfortunately very common. In fact, social engineering and invoice fraud are among the top three attacks occurring in Australia right now. This type of scam involves an individual being tricked into paying a fake invoice, and it’s becoming a huge issue. That’s why educating employees to recognise what a fake email or invoice looks like is critically important. If a payment is made to a fraudulent account, the transaction may circulate between financial institutions for one to three days. If employees act quickly and notify management, there’s a much better chance of recovering the money.

Kim: So, it’s fair to say that businesses — big and small — really can’t afford not to look at insurance when it comes to cyber security and cyber crime?

Jerry: Exactly. The number and severity of ransomware attacks have increased dramatically, and claims have risen by 85–95% in just the last three years. If a business doesn’t have the cash flow to manage the costs of a cyber attack, it could run out of money, which in turn could lead to the company failing — and potentially directors being personally liable for those losses. So yes, every second counts — and I can’t emphasise that enough.

Kim: Jerry, thank you so much for joining us for the Cyber Risk Series, brought to you by MGA Insurance Group. This has definitely been food for thought — extraordinary, terrifying, and equally fascinating. I’d like to think none of you will ever need to rely on this information, but sadly, this is the world we live in today. Thank you, everyone, for joining us — and we’ll see you next time.

Prev Slide
Next Slide

Why Choose MGA Insurance Group

At MGA Insurance Group, choosing us means partnering with professionals who understand the technical complexities of cybersecurity and insurance.

We specialise in crafting comprehensive insurance solutions built around the realities of today’s digital landscape. Our team evaluates security protocols, data encryption, and vulnerability exposure to ensure your policy reflects your organisation’s unique risk profile.

Our Advantage

  • Tailored cyber protection for businesses of all sizes
  • Deep understanding of cyber risk and insurer expectations
  • Access to pre-insurance scanning and expert remediation guidance
  • Trusted experience spanning 50 years and 40+ offices nationwide

By choosing MGA, you’re gaining more than an insurance policy — you’re partnering with a team that speaks the language of cybersecurity and is equipped to safeguard your digital assets with precision.

Why choose MGA insurance group

Ready to protect your business? Get your tailored quote today.

Request A Quote Contact us
Scroll to top