Uninsured Exposures Exposed: ML, PI & Cyber for Brokers

Exposed Liabilities Surge

Australian regulators have intensified scrutiny on cyber resilience, with the Australian Securities and Investments Commission (ASIC) prioritizing enforcement against financial services licensees failing to maintain adequate protections. In 2025, ASIC initiated proceedings against firms like Fortnum Private Wealth and FIIG Securities for breaches under the Corporations Act, alleging insufficient risk management systems. This follows the first judicial penalty under the Privacy Act, where Australian Clinical Labs paid $5.8 million for exposing client data over 12 months due to systemic failures.

The landscape is complicated by new legislation. A statutory tort for serious privacy invasions took effect in June 2025, alongside enhanced powers for the Office of the Australian Information Commissioner to address doxing and data mishandling. Cyber incidents in Australia rose sharply, with 78% of surveyed firms in the region experiencing ransomware attacks in the past year, according to CrowdStrike data. These developments affect SMEs particularly, where contract clauses increasingly mandate cyber coverage, turning it from optional to essential for client relationships.

Management liability (ML) and professional indemnity (PI) policies are evolving amid these pressures. Insurers are softening terms, with ML premiums dropping 10-25% for well-governed entities, but underwriting tightens for high-risk sectors like those prone to employment disputes or insolvencies. PI faces challenges from scope creep in tech contracts and third-party vulnerabilities, where unaligned coverage can lead to denied claims. Meanwhile, AI integration poses non-obvious tensions: while some policies offer affirmative AI endorsements, others risk silent exclusions, leaving firms exposed to errors in AI-driven decisions or content.

Stakeholders clash over these shifts. Insurers push for robust controls to justify lower premiums, while businesses in volatile sectors argue stricter terms exacerbate protection gaps. Brokers, central to advising on these exposures, risk their own liability if documentation falls short under heightened ASIC oversight. Concrete costs mount: average cyber claims reach £40,000 with 300-day lifecycles, per UK analogs applicable to Australia, emphasizing business interruption as the dominant harm. Inaction invites deadlines like impending 2026 privacy reforms, potentially triggering waves of class actions and governance overhauls.