Changes span incident limits, non‑IT interruption, and financial loss
Emergence Insurance has released an updated wording of its Cyber Event Protection (CEP) policy, CEP-005.1, for small and medium-sized enterprises (SMEs) in Australia, as cyber threats remain a leading operational risk for local organisations. The revision comes as insurers, brokers, and corporate risk managers continue to adjust cyber programs in response to incident trends, regulatory reporting, and survey data showing that cyberattacks and data breaches sit at the top of corporate risk rankings.
CEP-005.1 details changes to limits and optional cover
CEP-005.1 is an updated version of Emergence’s CEP policy for SMEs, with amendments centred on limits and several optional coverage elements. According to Emergence, key changes include:
- Introduction of any one incident limits
- Full-limit cover for system failure
- Full-limit non‑IT contingent business interruption under optional cover
- An expanded Optional Criminal Financial Loss section that now includes theft of physical goods
Emergence chief underwriting officer Jeff Gonlin said the insurer is seeking to keep its cyber wording aligned with experience from claims and broker feedback. “Cyber risk doesn’t stand still, so our policy wording can’t either. CEP-005.1 reflects broker feedback and real-world claims experience, while giving insureds stronger protection and practical support to help them become better risks,” Gonlin said. The broker portal has been updated with the CEP-005.1 wording, and intermediaries can now quote and bind eligible risks under the revised terms.
Advisory and incident response services continue with CEP
In addition to the changes to coverage, Emergence continues to include a range of cyber risk management services with its CEP policy, provided without extra charge to policyholders. These services are optional and are described in a letter issued with each policy, outlining what is available and how it can be accessed. The services include cyber security guidance, a one‑hour consultation to discuss an organisation’s cyber posture, scanning of internet-facing infrastructure to identify vulnerabilities, and dark web scanning to check whether data may be exposed. Emergence also provides advice after a claim on steps that insureds can take in relation to their IT environments.
Policyholders retain access to a virtual chief information security officer (vCISO), threat intelligence, and dark web monitoring. These services are now delivered directly by Emergence after the insurer expanded its internal cyber advisory team. If an insured discovers or reasonably suspects a cyber event during the policy period and notifies Emergence, the insurer’s Incident Response (IR) team will investigate and coordinate the response. According to Emergence, services provided solely by the IR team sit outside cyber event response costs, do not reduce the limit for any one incident, and are not subject to an excess.
Survey data from 2025 shows cyber as top-ranked risk
The CEP-005.1 update is being introduced against the backdrop of survey findings released in 2025 that show the significance of cyber risk for Australian organisations. Aon plc’s 2025 Global Risk Management Survey – which drew responses from nearly 3,000 risk managers, executives, and C‑suite leaders across 63 countries, including Australia and New Zealand – found that “Cyber Attacks and Data Breaches” ranked as the number one business risk for Australian respondents. The result was consistent with the global rankings, where cyber risk also held the top position.
Aon reported that 93% of Australian respondents had structured review processes in place to manage cyber exposures, one of the highest rates among the territories covered. The findings indicated that many organisations are treating cyber as an enterprise risk requiring formal oversight rather than confining it to technology functions. “Cyber threats are no longer confined to data breaches — they have evolved into systemic business risks that can disrupt operations, supply chains, and reputations. Quantifying cyber exposure through analytics gives organisations the visibility to prioritise investments, reduce loss potential, and strengthen resilience at an enterprise level,” Adam Peckman, global head of cyber risk consulting and head of Cyber Solutions for APAC at Aon, said at the time of the survey’s release.
OAIC figures highlight breach patterns, human error, and third-party exposures
Regulatory reporting from the Office of the Australian Information Commissioner (OAIC) provides additional context for cyber underwriting and risk management decisions. In its Notifiable Data Breaches (NDB) report for the January–June 2025 period, the OAIC recorded 532 data breach notifications, a 10% decrease compared with the previous six months, when notifications reached a record level. The OAIC noted that, since the NDB scheme began, more notifications have typically been received in the second half of each calendar year, indicating a recurring pattern.
Malicious or criminal attacks remained the largest source of notifications, accounting for 59% of reported breaches (308 notifications). Cyber security incidents were the predominant type of event within this category, with an average of just over 10,000 individuals affected per cyber incident during the period. IBM estimated that in 2024 the average cost of a data breach to business was $4.26 million. The health sector accounted for the highest share of notifications (18%), followed by the finance sector (14%) and Australian government agencies (13%).
The OAIC also reported a rise in data breaches attributed to human error. In the first half of 2025, human error accounted for 37% of notifications (193 incidents), up from 29% in the previous reporting period. The regulator observed that human actions and process weaknesses continue to affect the security of personal information, even where technical systems are in place. For brokers, underwriters, and risk managers in the Australian insurance market, this combination of survey data, regulatory reporting, and product changes such as CEP-005.1 is informing how cyber cover, incident response arrangements, and advisory services are structured in response to the current profile of cyber and data privacy exposures.
Related Stories
