Regulatory pressures and a heightened risk profile are prompting insurers to impose stricter cyber insurance requirements on businesses in Australia and New Zealand, Arctic Wolf’s 2025 Cyber Insurance Report shows.
Companies in these markets must meet a minimum of six security controls to qualify for coverage, compared with a global average of five.
The report is based on research involving 400 professionals from cyber insurance broker and carrier companies worldwide. Findings indicate that organisations in Australia and New Zealand are 9% more likely to experience a significant cyber attack than the global average. This has led insurers to raise eligibility criteria to manage potential risks.
Globally, 72% of respondents expect cyber insurance premiums to increase over the next year. The report attributes this to the evolving threat environment, including the adoption of artificial intelligence (AI) systems, large language models (LLMs), and growing data privacy concerns, which are contributing to more sophisticated attacks.
Coverage requirements in the region
Email security and identity and access management are the most commonly required solutions for eligibility in Australia and New Zealand, at 87% and 84% respectively. These figures exceed the global averages of 66% for email security and 53% for identity and access management.
The report also notes that advanced protections, such as 24/7 security operations centres and managed detection and response services, are regarded by respondents as the most impactful measures for improving security postures.
Incident and claims trends
Ransomware was the most frequent type of incident leading to claims globally in the past 12 months, with 18% of insurance professionals reporting that clients were affected. Other common causes include data breaches, theft of funds and phishing.
AI is cited as one of the factors contributing to the changing nature of cyber threats, with increased adoption of AI and LLMs adding to the complexity of attacks.
Only 12% of policyholders globally submitted claims in the past year. Of these, a quarter were rejected due to policy gaps, indicating that some exclusions are not identified by businesses until after an incident.
Steve Hunter, director of engineering, ANZ at Arctic Wolf, stated that six security controls have become the minimum requirement for coverage in Australia and New Zealand, influenced by recent high-profile incidents and regulatory actions.
“High-profile attacks and the heightened risk of regulatory action, as seen in the Optus case, are raising the stakes for insurers and forcing local organisations to prioritise security operations as a critical business function,” said Hunter. “Insurance is no longer a financial safety net – it's a test of cyber readiness and business resilience."
