ASIO boss makes urgent warning
Australia’s top spy has delivered one of the starkest warnings yet about foreign hackers circling the nation’s infrastructure – and for insurance brokers it lands like a flashing red light over clients’ cyber cover.
Addressing a business audience in Melbourne, ASIO director-general Mike Burgess said foreign governments now have “elite teams” testing ways to disrupt essential services, from power and water to telecommunications and the financial system. The scenarios he outlined – and the real-world breaches he described – go well beyond the sort of data-theft incidents many companies still imagine when they hear the phrase “cyber attack”.
For brokers, the message is clear: if clients are still treating cyber insurance as a discretionary extra, they are badly out of step with the risk environment the security agencies are describing.
“They are more likely to pull the trigger”
Burgess told the Australian Securities and Investments Commission’s forum that authoritarian regimes “are growing more willing to disrupt or destroy critical infrastructure”, and that Australia has crossed a line.
“I have previously said we’re getting closer to the threshold for high-impact sabotage,” he said. “Well, I regret to inform you — we’re there now.”
He pointed to recent outages in telecommunications networks – one of which is believed to have contributed to several deaths – as a modest taste of what a state-backed operation could achieve at scale.
“That’s one phone network not working for less than one day,” he said. “Imagine the implications if a nation state took down all the networks? Or turned off the power during a heatwave? Or polluted our drinking water? Or crippled our financial system?”
Burgess stressed these scenarios “are not hypotheticals – foreign governments have elite teams investigating these possibilities right now.”
He warned: “We expect sabotage, particularly cyber-enabled sabotage, to pose an increasing threat in the next five years – both in terms of adversary capability and adversary intent.”
For insurers, that language – “high-impact sabotage”, “increasing threat”, “next five years” – is precisely the sort of horizon that should be feeding into discussions about limits, exclusions and accumulation. For brokers, it underlines how important it is to move cyber risk from the “nice to have” column into the core of the protection conversation.
Salt Typhoon, Volt Typhoon and the long game
The ASIO chief singled out two hacking units – Salt Typhoon and Volt Typhoon – which he said are “hackers working for Chinese Government intelligence and their military”.
He said Salt Typhoon’s intent was espionage: “Salt Typhoon’s intent was espionage – they penetrated the United States’ telecommunications system to gain access to the nation’s communications through a strategic spying operation.”
Volt Typhoon’s focus, by contrast, was disruption. “The hackers compromised American critical infrastructure networks to pre-position for potential sabotage. The penetrations gave China the ability to turn off telecommunications and other critical infrastructure.”
Burgess said “we have seen Chinese hackers probing our critical infrastructure as well,” and warned that once networks were accessed, “what happens next is a matter of intent not capability.”
“I do not think we – and I mean all of us – truly appreciate how disruptive, how devastating, this could be,” he said.
From an underwriting perspective, the key phrase is “pre-position for potential sabotage”. A company’s systems might look healthy today, yet already be harbouring hidden access points that can be used in an attack months or years later. That sort of latent risk is extremely hard for clients to price or self-insure – and exactly where a well-structured cyber policy, coupled with strong security controls, can make a difference when something finally goes wrong.
Espionage, IP theft and real balance-sheet damage
The ASIO director-general did not confine his remarks to pipes and cables. He detailed recent cases in which “nation-state hackers” targeted Australian corporates directly.
In one instance, he said, “nation-state hackers compromised the computer network of a major Australian exporter and made off with commercially sensitive information. The theft gave the foreign country a significant advantage in subsequent contract negotiations.”
“In another case, they stole the blueprints of an Australian innovation and mass-produced cheap knock-offs that nearly bankrupted the innovator.”
He added a more old-fashioned twist: “A visiting academic with links to a foreign government broke into a restricted technology laboratory and filmed its contents.”
The Australian Institute of Criminology has estimated that espionage cost the economy $12.5 billion in 2023-24, including $2 billion in lost trade secrets and stolen intellectual property. Burgess said foreign intelligence agencies “are aggressively targeting private sector projects, negotiations and investments that might give foreign companies a commercial advantage.”
For brokers working with manufacturers, exporters, technology firms or professional services, those examples should feel uncomfortably close to home. This is not about the cost of resetting passwords after a phishing attack; it is about stolen designs, crippled negotiations and existential threats to a business model.
Policy wordings that only pick up narrow data-breach response costs are unlikely to be sufficient in a world where sabotage and espionage can knock out production or sink a multi-billion dollar contract.
“The loss of availability can be devastating”
Burgess emphasised that the biggest danger is not always stolen data but disruption itself.
“The loss of availability in any part of our critical infrastructure can be devastating,” he said. “That’s one phone network not working for less than one day.”
He said modelling for ASIO’s Cost of Espionage report put the price tag for “cyber-enabled sabotage of critical infrastructure” at $1.1 billion per incident, rising to $6 billion for an economy-wide disruption lasting a week.
For many insureds, especially in supply chains linked to energy, logistics, healthcare, finance or telecommunications, the line between “critical infrastructure” and ordinary commercial operations is increasingly blurred. A hospital may rely on a small software vendor for clinical systems; a regional water provider may depend on a specialist engineering contractor; a bank may outsource key technology functions to third parties.
Brokers are in a strong position to map those dependencies with clients and make sure business interruption and contingent BI cover in cyber policies actually reflects the web of exposures ASIO is talking about.
Boards “cannot be clearer” on responsibility
Burgess was explicit that businesses cannot treat these risks as someone else’s problem.
“I cannot be clearer, if the risks are foreseeable and the vulnerabilities are knowable, there is no excuse for not taking all reasonable steps,” he said. “Complexity is not an excuse; it must be dealt with.”
He criticised boards that are “surprised when they are faced with an outage or compromise”, noting that “almost every security incident involves a known problem with a known fix and/or a manager who is shocked but not surprised.”
“Boards need to be curious and discerning about the information provided to them,” he said. “You can’t PowerPoint your way out of this risk. Don’t let management do that to you.”
For brokers, this is an opening as much as a warning. Cyber insurance conversations can be framed not as a niche product pitch, but as part of the board’s duty to manage “foreseeable” risks and protect their stakeholders. A policy that includes incident response, forensics, legal support, notification costs, ransom negotiation and extended business interruption is a concrete way to demonstrate that “reasonable steps” have been taken.
Why brokers need to move cyber up the agenda
ASIO’s assessment is that threats will be “dynamic, diverse and degraded” – dynamic because “Australia has never faced so many threats… at scale… at once”; diverse because “foreign spies are increasingly using criminal cut-outs to do their dirty work”; and degraded because adversaries are “more willing to engage in what we call ‘high harm’ activities.”
Rapid advances in artificial intelligence, and a thriving online market for hacking tools, mean even smaller organisations can find themselves in the crosshairs, whether as direct targets or stepping stones into bigger prey.
Against that backdrop, cyber insurance is no longer just a bolt-on for large corporates. Small and mid-sized clients, professional practices, regional utilities, health providers, educational institutions and critical-infrastructure suppliers all face a combination of regulatory, operational and balance-sheet risks that standard property and liability policies will not fully address.
Brokers who help clients confront that reality – and who push for policy structures that match the severity of the threat described by Burgess – are likely to be seen as trusted risk advisers rather than product sellers.
State-backed hackers will not wait for boards to catch up. The security agencies are making it plain that the danger is already inside some networks and that the question is when, not whether, intent shifts from espionage to sabotage. For the insurance market, and the brokers who sit between underwriters and insureds, the task now is to make sure that when that moment comes, clients are not facing it uninsured.
