Australia’s cyber insurance market is confronting a dangerous mismatch between coverage and risk as INTERPOL’s 2025/2026 Asia and South Pacific cyber threat assessment, released in early 2026, catalogues an alarming expansion of ransomware, distributed denial-of-service (DDoS), and infostealer campaigns. The report makes clear that the rapid professionalisation of regional cybercrime networks has left many businesses, particularly those reliant on Windows infrastructure, struggling to secure adequate financial protection.
The assessment, compiled from law enforcement intelligence, incident response data, and threat intelligence feeds across 27 countries, states bluntly that “the gap between insured losses and uninsured residual risk is widening faster than insurers can recalibrate their models.” For Australian organisations, the implication is stark: current cyber insurance premiums may be failing to keep pace with the true cost of a major breach.
The INTERPOL 2025/2026 Report: A Regional Wake‑Up Call
The 2025/2026 report is the fourth edition of INTERPOL’s biennial Asia and South Pacific cyber threat landscape analysis. It draws on contributions from the Australian Federal Police, CERT Australia, the New Zealand National Cyber Security Centre, and numerous private-sector partners. Unlike previous editions, this report introduces a dedicated section on the insurability of cyber risk, acknowledging that systemic threats like supply‑chain compromises and cloud‑platform attacks can trigger cascading losses that outstrip traditional actuarial calculations.
The report’s headline figures are sobering. Ransomware incidents in the region rose by 47 percent compared with the 2023‑2024 period, while the average ransom demand in Australia climbed to AUD 2.2 million. DDoS attacks, especially those leveraging reflection‑amplification techniques against Windows Remote Desktop Services and IIS servers, increased by 63 percent year‑on‑year. Infostealer infections, which siphon credentials, session tokens, and financial data from Windows endpoints, now account for one in every three malware incidents detected in the region.
Ransomware: The Dominant Threat
Ransomware remains the most financially damaging threat for Australian policyholders. The INTERPOL report identifies three dominant ransomware-as‑a‑service (RaaS) families—codenamed TempestSpider, VoidCrypt, and PhoenixLock—that have modernised their operations with double‑extortion, intermittent encryption, and hypervisor‑layer targeting. All three families are optimised for Windows environments, abusing legitimate tools like PowerShell, PsExec, and Windows Management Instrumentation (WMI) to move laterally without detection.
A key development is the adoption of “bring your own vulnerable driver” (BYOVD) techniques, where attackers load a signed but exploitable driver to terminate endpoint detection and response (EDR) processes. This method effectively blinds Windows Defender for Endpoint and many third‑party security tools, allowing ransomware to encrypt network shares, Active Directory domain controllers, and Azure‑connected file stores unimpeded. The report notes that 72 percent of successful ransomware intrusions in Australia began with an unpatched Windows vulnerability—most commonly CVE‑2024‑38077, a critical remote code execution flaw in Windows Remote Desktop Licensing Service, and CVE‑2025-21333, a privilege‑escalation bug in the Windows Kernel.
For insurers, the challenge is that ransomware losses are no longer confined to simple business interruption and data restoration. Extortionists now leak sensitive data on dedicated Tor‑based portals, triggering regulatory investigations and class‑action lawsuits under the Privacy Act 1988 (Cth). Insurers face mounting claims for notification costs, forensic investigation, legal fees, and even ransom reimbursement when policies include extortion coverage.
DDoS Attacks: Disruption as a Service
The INTERPOL report singles out DDoS attacks as a growing vector for extortion and competitive sabotage. Over the past 18 months, Australian financial services, online gaming, and government portals have been hit by sustained terabit‑per‑second attacks that exploit misconfigured Windows servers running IIS, Microsoft SQL Server, and Remote Desktop Gateway.
Attackers increasingly combine volumetric floods with application‑layer attacks that target specific Windows services. For example, a single malformed HTTP/2 request can exhaust CPU resources on an unpatched Windows Server 2022 machine, while a slow‑loris variant can keep thousands of TCP connections open on port 3389, rendering Remote Desktop Services unusable. The report documents a 90‑fold increase in DDoS‑for‑hire services advertised on Telegram and Discord, with some offering “Windows‑specific” attack scripts for as little as AUD 15.
The insurance implications are direct. Even short‑lived DDoS attacks can violate service‑level agreements, causing contractual penalties and reputational damage. Standard cyber insurance policies often sub‑limit DDoS‑related business interruption losses, leaving policyholders to shoulder significant costs themselves. INTERPOL warns that many Australian businesses are unaware of these sub‑limits and operate under the false assumption that their policy covers all denial‑of‑service incidents.
Infostealers: Silent Data Exfiltration
Where ransomware and DDoS are noisy, infostealers operate in the shadows. The INTERPOL report highlights a 112 percent surge in infostealer infections across the South Pacific, with Australia, Singapore, and Malaysia being the worst‑hit. Infostealers like RedLine, Vidar, and the newly emerged TwilightGrab target Windows 10 and Windows 11 endpoints via malicious downloads, phishing emails, and fake software updates.
Once executed, these trojans harvest credentials stored in browsers, FTP clients, VPN applications, and Windows Credential Manager. They also capture session cookies, enabling attackers to bypass multi‑factor authentication entirely. The report describes a disturbing trend where infostealer logs are traded on darknet marketplaces for as little as AUD 10, giving threat actors a ready‑made blueprint for further network compromise.
For insurers, infostealer incidents are difficult to price because the damage is often intangible. Stolen credentials may be used months later for a ransomware attack or data breach, making it almost impossible to attribute the loss to a single incident. This latency risk forces underwriters to apply broad exclusions or require rigorous endpoint protection that many small and medium enterprises (SMEs) cannot afford.
Impact on Australia’s Cyber Insurance Landscape
The INTERPOL report dovetails with data from the Australian Prudential Regulation Authority (APRA) and the Insurance Council of Australia, which show that gross written cyber premiums in Australia exceeded AUD 1.1 billion in 2025, yet the aggregate claims ratio broke 100 percent for the second consecutive year. In other words, for every dollar collected in premiums, insurers paid out more than a dollar in claims and expenses.
This unsustainable dynamic has prompted several Lloyd’s syndicates and local carriers to tighten their policy wordings. Capacity for SMEs with turnover below AUD 10 million has contracted sharply, and many policies now exclude losses arising from unpatched Windows vulnerabilities unless the insured can prove they applied critical patches within 30 days of release. The report argues that this “warranty gap” is creating a two‑tier market: large enterprises with dedicated security teams can negotiate tailored coverage, while smaller firms are left with minimal or no protection.
Why the Protection Gap Exists
INTERPOL identifies three structural reasons why Australia’s cyber insurance gap persists.
First, the velocity of threat evolution outstrips underwriting cycles. Insurers typically reassess risk appetite annually, yet ransomware gangs and DDoS operators change tactics every few weeks. By the time a new exclusion is drafted, attackers have already pivoted to a different Windows exploit or delivery mechanism.
Second, the interdependence of Windows ecosystems amplifies systemic risk. A single vulnerability in Windows Server Active Directory, when exploited on a single privileged workstation, can compromise an entire domain. Such “correlated failures” are difficult to model because they depend on the insured’s network architecture, patch hygiene, and even the specific Windows Feature Experience Pack version—details that most application forms do not capture.
Third, the lack of standardised incident reporting hampers actuarial analysis. While the Security of Critical Infrastructure Act 2018 mandates breach notification for certain sectors, many ransomware payments and DDoS extortion settlements go unreported. Without a comprehensive loss database, insurers are effectively pricing in the dark.
Recommendations for Australian Businesses and Insurers
The INTERPOL report offers concrete guidance for both sides of the insurance contract.
For businesses, the priority should be closing the “insurability gap” by implementing controls that satisfy underwriters. Cyber‑hygiene measures such as timely Windows patching, multifactor authentication, and network segmentation are now baseline requirements for most policies. The report recommends that organisations adopt the Australian Signals Directorate’s Essential Eight maturity model, aiming for Maturity Level Two as a minimum. It also suggests that Windows shops deploy Microsoft’s built‑in attack surface reduction rules, credential guard, and controlled folder access—features already included in Windows 11 Enterprise E5 licences.
For insurers, INTERPOL calls for a more dynamic approach to risk assessment. It proposes that underwriters work with managed detection and response (MDR) providers to develop real‑time telemetry about a policyholder’s security posture, rather than relying on static questionnaires. The report also encourages the development of parametric cyber products that pay out automatically when a predetermined trigger—such as a confirmed ransomware encryption event or a DDoS attack exceeding a certain bandwidth threshold—is detected. Such products could close the protection gap without forcing insurers to write open‑ended coverage.
Outlook for the Future
The INTERPOL 2025/2026 report makes clear that the current cyber insurance model is under severe strain, but it is not beyond repair. Australia’s regulatory environment, with the upcoming Cyber Security Act 2026 expected to introduce mandatory ransomware reporting and minimum security standards for critical infrastructure, may inject the data transparency that the insurance market desperately needs.
For Windows enthusiasts and IT decision‑makers, the report is a practical call to arms. The gap between what insurance covers and what criminals cost is widest where Windows environments are poorly governed. Closing that gap depends less on buying extra coverage and more on building resilient architectures that withstand the attacks the report documents. As one INTERPOL analyst notes in the report’s conclusion: “Cyber insurance is not a substitute for cyber defence—it is a complement. The best policy is worthless if the insured cannot demonstrate they have locked their own doors.”