The Australian cyber insurance market has been through several distinct phases over the past five years. The early period of broad coverage and competitive pricing. The hardening of 2021-22 after the loss ratios deteriorated. The recalibration of 2023-24 as the underwriting community got more sophisticated about which risks to take and on what terms. By Q1 2026 the market has reached a more stable footing, but the conditions look different from a year ago.

This is a snapshot of where the market sits, drawn from conversations with brokers, in-house risk leaders, and the underwriting side.

Premiums have stabilised but stayed elevated

The headline pressure on premiums that defined the 2022-23 renewals has eased. Q1 2026 renewals are coming in flat to modestly up for organisations that have made investments in cyber maturity, and modestly up for organisations that haven’t. The double-digit annual increases that became normal during the hardening period are largely behind us.

Premiums are not back to where they were before the hardening. The level remains substantially above pre-2021 baselines. Most underwriters consider this the new normal — the previous premium levels reflected an underestimation of cyber risk that the market has now corrected.

The variance between organisations on the same base premium has widened. Organisations that have demonstrably invested in security maturity are getting differentiated pricing. Organisations that haven’t are paying significant loadings or finding coverage harder to access.

Coverage scope is the live conversation

What’s shifted is the scope conversation. The negotiation in Q1 2026 is less about the headline premium and more about what the policy actually covers.

Sub-limits on specific causes of loss are tighter than they were three years ago. Ransomware coverage in particular has been carved up — separate sub-limits for the ransom payment, the response costs, the forensic investigation, the legal costs, and the operational disruption. The organisation looking at the policy has to read the breakdown carefully because the headline coverage limit can mask important constraints.

Business interruption coverage has tightened. Insurers want clear quantification of the BI exposure and clear documentation of how the organisation would actually demonstrate a loss. Several recent claims have been disputed on the basis that the organisation couldn’t prove the financial impact of the cyber incident with the specificity the policy required.

Critical infrastructure exclusions are becoming more common in policies for organisations that operate or interact with critical infrastructure as defined under Australian regulations. The exclusion language varies but the direction of travel is clear — insurers are not interested in carrying critical infrastructure tail risk through generic cyber policies.

Privacy and regulatory cost coverage has become better defined. The cost of regulatory investigations, the cost of mandatory notification, and the cost of class action defence are now itemised more precisely than they were. This is good for everyone — clearer allocation of which costs the policy will respond to.

What underwriters want to see

The underwriting submission for cyber renewals in Q1 2026 has standardised around a set of expectations.

Identity controls. Multi-factor authentication on all administrative accounts is now table stakes. MFA on user accounts is increasingly expected. Privileged access management for the highest-risk accounts is a differentiator on pricing.

Endpoint detection and response. EDR deployed across the estate with credible operations behind it has become standard. Underwriters increasingly want to see not just the deployment but the response capability that uses it.

Backup posture. Immutable backups, tested recovery, and offline copies have become explicit underwriting questions. Organisations that can demonstrate tested, working ransomware recovery are getting better terms.

Email security. Phishing remains the dominant initial access vector and underwriters want to see meaningful email security tooling and ongoing user training.

Vendor and supply chain risk management. The supply chain attacks of the past few years have moved this from an afterthought to a front-of-package question. Underwriters want to know how the organisation manages third-party risk.

Incident response capability. Whether retained externally or built internally, the organisation needs a credible IR capability with a tested plan.

The organisations that demonstrate maturity across all of these areas are getting markedly better outcomes than organisations that don’t. The variance has stayed wide.

The claims experience driving the conditions

The reason the conditions are where they are is the claims experience the market has accumulated. Several recurring claim types have shaped the underwriting posture.

Ransomware claims have stabilised in frequency but the per-incident costs have continued to climb. The combination of ransom demands, business interruption losses, and regulatory and legal costs has produced large total claim amounts even where the ransom itself was relatively modest.

Business email compromise claims continue to be common and significant. The dollar amounts on individual incidents are typically smaller than ransomware but the cumulative impact on insurer loss ratios has been meaningful.

Privacy and notification claims have grown in significance as the regulatory environment has tightened. The cost of mandatory notification programs after a privacy incident has been higher than many organisations expected, and the insurance response has been variable.

Supply chain incidents — where the organisation suffered loss because of a security failure at a vendor — are an area underwriters are watching closely. The allocation of liability and coverage between the affected organisation, the vendor, and their respective insurers is contested.

What organisations are doing differently

The organisations getting good outcomes from the Q1 2026 cyber insurance market are doing a few specific things.

They’re submitting renewals early and complete. The well-prepared submission with full documentation gets better engagement than the late, partial submission.

They’re working with brokers who specialise in cyber. The general commercial brokers don’t have the depth in this market. The specialists do.

They’re being honest about the actual security posture. Submissions that overstate maturity tend to get caught out either at renewal time or, more painfully, at claim time.

They’re looking at structured solutions where the headline market is unfavourable. Self-insured retentions, captives, and parametric supplements are being used more creatively.

They’re treating the renewal as part of an ongoing security program rather than as an annual event. The organisations that have continuous improvement programs in security are the ones that get better terms over time.

The mid-year outlook

The expectation across the brokers and underwriters I’ve talked to is that the back half of 2026 will look broadly like the first half. No major hardening event is expected unless a significant incident shifts the loss landscape. No significant softening is expected either — the underwriting community considers current pricing rational.

The structural pressure on smaller organisations remains. The cyber maturity bar that gets you reasonable insurance terms is high enough that organisations without dedicated security capability struggle to clear it. The market for these organisations exists but on tighter terms.

For risk leaders planning the next renewal, the practical advice is to start the conversation with your broker now, not in the month before renewal. The organisations that turn up early with clear documentation are getting outcomes that materially differ from the organisations that don’t.