The latest Annual Cyber Threat Report from the Australian Signals Directorate (ASD) confirms what many in the market have been feeling for some time: financial and insurance services are now one of the most attractive targets for cyber attackers in Australia.
In 2024–25, ASD’s Australian Cyber Security Centre (ACSC) received over 84,700 cybercrime reports – about one every six minutes. The average self-reported loss per business incident jumped to $80,850, a 50% increase in a single year. For small firms the average hit was $56,600; for medium enterprises, $97,200; and for large organisations, $202,700. cyber.gov.au
Figure 1: Cyber security incidents responded to by month
For an industry built on managing risk, these are not abstract numbers. They describe a structural shift in exposure for insurers, brokers and their customers.
Financial and Insurance Services: The Top Non-Government Target
ASD’s data shows that when Australian organisations report cyber incidents, financial and insurance services now account for around 7% of all cases – the highest share of any non-government sector. cyber.gov.au
Only the federal and state/local public sectors generate more incident reports. In other words, insurers now sit alongside government as front-line targets.
Two data points stand out:
- DDoS pressure on finance and insurance
Financial and insurance services are not only frequent reporters overall; they also feature heavily in denial-of-service (DoS/DDoS) incidents. ASD responded to more than 200 DoS/DDoS events in 2024–25, an increase of over 280% year-on-year, with financial and insurance entities among the top five targeted sectors.
- Critical infrastructure classification
Thirteen per cent of all incidents ASD handled involved critical infrastructure. Within this group, financial and insurance services accounted for nearly one-third of cases – more than any other industry. cyber.gov.au
Figure 2: Cyber security incidents by severity category for FY2024–25 (total 1,253)
For boards and executives, this is the crux: insurers aren’t just another commercial target; they’re treated as critical to national economic stability. That raises the stakes for operational resilience, regulatory expectations and incident response capability.
How Attackers Are Actually Getting In
The stereotype of a cyber attack as “a virus in an email” is now badly out of date.
ASD highlights a continuing “campaign of credential theft”, with criminals buying stolen usernames and passwords on the dark web and using them to access email, social media and financial accounts. Identity fraud remains the top-reported cybercrime type nationally.
Figure 3: Example of an info stealer ecosystem and possible impact on an organisation
CrowdStrike’s 2025 Global Threat Report paints a similar picture globally:
- 79% of detections in 2024 were “malware-free”, meaning attackers used legitimate tools, stolen credentials and hands-on-keyboard activity rather than obvious malicious code.
- Average breakout time – how long it takes an intruder to start moving laterally once inside – fell to 48 minutes, with the fastest case just 51 seconds.
- Voice-based social engineering (vishing) campaigns surged, with a 442% increase between the first and second half of 2024.
For insurers, three themes matter most:
- Credential-driven attacks
Compromised usernames and passwords are now a primary doorway, especially into cloud platforms and SaaS systems. CrowdStrike observed that valid account abuse accounted for 35% of cloud incidents.
- Operational disruption over pure data theft
DDoS attacks against financial services are rising sharply, used to knock portals, broker platforms or policyholder services offline – sometimes as standalone disruption, sometimes paired with extortion.
- AI-assisted social engineering
Both ASD and CrowdStrike note that adversaries are already using generative AI to scale phishing, deepfake voice and video, and fake identities – for example, bogus IT support calls and counterfeit job candidates that gain internal access.
The direction is clear: attackers are behaving like professional enterprises, moving fast, reusing playbooks that work, and focusing on identity and availability rather than just dropping ransomware and hoping for the best.
Figure 4: Prevalence of top 10 MITRE ATT&CK techniques in FY2024–25
ASD’s Message to Boards: Assume Compromise
ASD’s executive summary is blunt: businesses should “operate with a mindset of ‘assume compromise’” and identify the “crown jewels” that must be protected first. cyber.gov.au
To get there, ASD recommends four “big moves” for organisations:
- Implement best-practice logging – so you can actually see what’s happening in your environment and investigate quickly.
- Replace legacy IT – older systems increase the likelihood of downtime, data loss and costly recovery efforts.
- Manage third-party risk – suppliers, outsourcers and software vendors are now common entry points for attackers.
- Prepare for post-quantum cryptography – transition planning for a post-quantum world needs to start well before 2030.
ASD also stresses the basics: strong multi-factor authentication, unique passwords or passphrases, timely patching, phishing awareness and regular backups. These alone could prevent the majority of incidents reported to the agency. cyber.gov.au
What This Means for Insurers, Brokers and MGAs
1. Your own operations are part of Australia’s critical infrastructure
Given the sector’s prominence in both incident statistics and critical infrastructure reporting, insurers can expect continued attention from regulators, customers and government on cyber resilience. cyber.gov.au
That means:
- Demonstrable control over access to policy, claims and payment systems
- Robust logging and monitoring across core platforms
- Clear, rehearsed incident response playbooks that include brokers, coverholders and technology partners
Figure 5: Breakdown of cybercrime reports by jurisdiction for FY2024–25
2. Your customers’ risk profile is changing
With the average business incident now costing $80,850 – and considerably more for medium and large enterprises – cyber loss is a board-level financial exposure, not just an IT problem.
For cyber and professional lines underwriters, this fuels:
- Higher claim severity as extortion, business interruption and incident response costs rise
- More frequent incidents driven by credential theft, DDoS, and supply-chain compromises
- Increased scrutiny from reinsurers on aggregation risk and systemic events
Pricing, coverage wording and risk selection will need to reflect that attacks are faster, more targeted and more identity-driven than even a few years ago.
3. Distribution and service models are in the firing line
Brokers and MGAs increasingly rely on digital portals, embedded insurance and real-time data flows. These same channels are attractive targets for attackers seeking:
- Credentials that unlock multiple client accounts
- Access to rich personal and commercial data repositories
- A way to disrupt business at scale by taking a central platform offline
Resilience of these shared platforms becomes a core part of the client value proposition, not just a back-office concern.
How Platforms Like InsuredHQ Fit Into This Picture
InsuredHQ operates in the middle of these shifts – as a technology provider to insurers, brokers and MGAs, and as a custodian of sensitive policyholder and financial data.
Without turning this into a product pitch, there are a few concrete ways platforms like InsuredHQ can and should support the response ASD is calling for:
- Better logging by design
Modern policy and claims platforms can provide detailed audit trails, API-level logs and integration points for SIEM and MDR providers. That directly supports ASD’s first “big move” of best-practice logging and faster investigations.
- Centralised, identity-aware access control
Fine-grained roles, strong MFA and modern identity integrations (such as SSO) reduce the attack surface created by shared logins and legacy user management – particularly important in broker networks and delegated authority models.
- Reducing reliance on legacy systems
Moving core workflows onto a modern, cloud-native platform allows insurers to retire high-risk legacy applications more quickly, aligning with ASD’s push to phase out outdated technology.
- Operational visibility during an incident
When something does go wrong, the ability to quickly identify which policies, customers, brokers and transactions are affected can materially reduce downtime, claims leakage and regulatory exposure.
InsuredHQ’s role is not to replace an organisation’s cyber security stack, but to provide a secure, well-instrumented backbone for revenue-critical insurance operations – one that supports, rather than undermines, the controls your security and risk teams are trying to enforce.
The Takeaway
ASD’s latest report and global threat intelligence tell the same story:
- Attacks are faster, more targeted and more reliant on stolen identities.
- Financial and insurance services are now prime targets, including as part of Australia’s critical infrastructure.
- The cost per incident – both financial and reputational – is climbing sharply.
For insurers and intermediaries, cyber risk is now inseparable from business risk. The immediate priority is not simply “buy more security tools”, but to:
- Treat your core insurance systems as critical infrastructure.
- Align your technology platforms with ASD’s four big moves.
- Use your position in the market – and platforms like InsuredHQ – to drive better cyber hygiene across your own organisation and your customer base.
Ignoring this isn’t just a technology decision anymore. It’s a strategic one.