Insurance is not the first thing most founders think about when launching a startup. It sits somewhere behind fundraising, product-market fit, and hiring — if it makes the list at all. But a single claim, data breach, or regulatory investigation can inflict financial damage that no amount of runway can absorb. For early-stage companies in Australia, three policies deserve serious attention: directors and officers (D&O) insurance, cyber insurance, and professional indemnity (PI) insurance.
This guide explains what each policy covers, when it becomes essential, and the legal context that makes it more than a nice-to-have.
Directors and Officers Insurance
D&O insurance protects the individuals who serve as directors and officers of the company against personal liability arising from decisions made in that capacity. It does not protect the company itself — it protects the people running it.
Why It Matters for Startups
Under the Corporations Act 2001 (Cth), directors owe a range of statutory duties: to act in good faith and in the best interests of the company (s 181), to exercise care and diligence (s 180), not to improperly use their position (s 182), and not to improperly use information obtained through that role (s 183). Breaching these duties can result in civil penalties, compensation orders, and in serious cases, criminal sanctions.
These obligations apply from day one. They apply to the solo founder who is the sole director of a newly incorporated Pty Ltd just as they apply to the board of a listed company. And the scope of potential liability extends well beyond the Corporations Act — directors can face personal exposure under work health and safety laws (including industrial manslaughter in some jurisdictions), taxation legislation (director penalty notices for unpaid PAYG and superannuation), environmental laws, and the Australian Consumer Law.
A D&O policy typically covers defence costs, settlements, and judgments arising from claims made against directors and officers. Most policies are structured around three “sides” of cover:
- Side A covers individual directors and officers directly where the company cannot or will not indemnify them — for example, if the company is insolvent.
- Side B reimburses the company when it has indemnified a director or officer for a covered claim.
- Side C (entity cover) covers the company itself for securities claims. This is more relevant to later-stage or listed companies and is often excluded from early-stage policies.
When to Get It
The short answer is: before your first board meeting. If you are raising capital and appointing external or investor directors, D&O coverage is often a condition of their appointment. Experienced directors will not join a board without it. Even before that point, founder-directors face meaningful personal exposure from the moment the company is registered.
Statutory Restrictions to Know
Section 199B of the Corporations Act prohibits a company from paying premiums for a policy that insures a director against liability arising from a wilful breach of duty or the improper use of their position or information. This means D&O insurance cannot cover dishonest or intentionally wrongful conduct — it is designed to protect directors acting in good faith who nonetheless face claims.
Companies should also be aware of the disclosure obligations under s 300(1)(g) of the Act, which requires the directors’ report to include details of any indemnity or insurance for officers (without disclosing the terms of the policy itself).
Cyber Insurance
Cyber insurance covers the costs associated with data breaches, cyber attacks, and related incidents. For startups that handle customer data, process payments, or rely on digital infrastructure — which is effectively all of them — it is increasingly a baseline expectation.
What It Covers
A typical cyber policy for an Australian startup will include:
- First-party costs: incident response, forensic investigation, system restoration, business interruption losses, and the costs of notifying affected individuals under the Notifiable Data Breaches (NDB) scheme.
- Third-party liability: defence costs and damages arising from claims by customers, partners, or regulators following a breach.
- Regulatory costs: legal expenses and penalties associated with regulatory investigations by the Office of the Australian Information Commissioner (OAIC) or other bodies.
- Extortion and ransomware: some policies cover ransom payments and associated negotiation costs, though this is an evolving area with increasing restrictions.
The Regulatory Context
Australia’s NDB scheme (Part IIIC of the Privacy Act 1988) requires entities with an annual turnover of more than $3 million (and certain other organisations regardless of turnover, including health service providers and entities that trade in personal information) to report eligible data breaches to the OAIC and affected individuals. The penalties for failing to comply are significant — up to $50 million for a body corporate for serious or repeated interferences with privacy.
From May 2025, the regulatory perimeter expanded further: businesses captured by the Security of Critical Infrastructure Act 2018 (SOCI Act) and those with revenue above $3 million are required to notify the Australian Signals Directorate within 72 hours of making a ransomware payment.
For startups, the practical reality is that even a relatively contained data breach can generate costs that dwarf the company’s monthly burn rate. Forensic investigation alone can run to tens of thousands of dollars. Add legal advice on notification obligations, credit monitoring for affected individuals, PR management, and potential regulatory engagement, and the total can be six figures before any third-party claim is made.
Insurability Requirements
Cyber insurers increasingly impose minimum security standards as conditions of coverage. Expect underwriters to ask about multi-factor authentication, endpoint detection and response, patch management cadence, backup practices, and employee security training. Startups with poor security hygiene may find it difficult to obtain affordable coverage — or any coverage at all.
Professional Indemnity Insurance
Professional indemnity (PI) insurance covers claims arising from errors, omissions, or negligent acts in the provision of professional services or advice. For technology startups, it sits at the intersection of what you build and what you promise.
When Startups Need It
PI insurance is most directly relevant to startups that provide services, advice, or software to clients where a failure could cause financial loss. This includes:
- SaaS companies — if your platform goes down and a customer loses revenue, or if a bug in your software causes incorrect calculations or data corruption.
- Consultancies and agencies — if you provide strategic, technical, or professional advice and the client suffers a loss as a result.
- Fintech and regtech — if your product is used for compliance, reporting, or financial decision-making and produces an incorrect output.
The typical PI claim against a startup looks something like this: a customer relies on your software to perform a critical function, something goes wrong, and the customer alleges that your product’s failure caused them financial loss. The customer sues for damages, alleging negligence, breach of contract, or misleading and deceptive conduct under the Australian Consumer Law.
What It Covers
A PI policy generally covers:
- Defence costs — legal fees incurred in defending a claim, including solicitor and barrister fees, expert reports, and court costs.
- Settlements and judgments — amounts the insured is legally liable to pay to a claimant.
- Breach of duty — claims arising from actual or alleged negligent acts, errors, or omissions.
- Intellectual property — some policies extend to claims of IP infringement, though this varies by insurer.
- Mitigation costs — expenses incurred to prevent or reduce a potential claim.
Contractual Requirements
Many enterprise customers will require you to carry PI insurance as a condition of doing business. It is common for B2B SaaS contracts, government procurement, and any engagement with a regulated entity to include minimum insurance requirements — often $5 million to $20 million in cover depending on the contract value and risk profile. If you do not have PI insurance, you may simply be excluded from these opportunities.
How the Three Policies Work Together
D&O, cyber, and PI insurance address different categories of risk, and there is less overlap than founders sometimes assume:
| Risk | D&O | Cyber | PI |
|---|---|---|---|
| Director sued for breach of duty | ✓ | ||
| Data breach response costs | ✓ | ||
| Customer sues over software failure | ✓ | ||
| Regulatory investigation (privacy) | ✓ | ||
| Director penalty notice (tax) | ✓ | ||
| IP infringement claim | ✓ (varies) | ||
| Ransomware attack costs | ✓ |
A common mistake is treating cyber and PI as interchangeable. They are not. If your SaaS platform suffers a data breach and customer data is compromised, the costs of investigating and remediating the breach fall under cyber insurance. But if the same platform produces an incorrect output that causes a customer financial loss, that is a PI claim. You need both.
Practical Tips for Early-Stage Companies
Start early, even if coverage is modest. A basic D&O policy might cost $2,000–$5,000 per year for a pre-revenue startup. Cyber and PI policies can start at similar levels. The cost of not having coverage when you need it is vastly higher.
Use a broker who understands startups. Several Australian brokers now specialise in technology and startup insurance — they understand the risk profile and can place coverage more efficiently than a generalist. Upcover, BizCover, and Clear Insurance are among the more active in the space.
Review policies before you sign contracts. Understand what is excluded. Common exclusions include known circumstances (issues you were aware of before the policy started), contractual liability that exceeds what you would owe at common law, and fraud or dishonesty. Make sure the policy responds to the types of claims your business is most likely to face.
Update coverage as you grow. The policy limits that were adequate at pre-seed will not be adequate after a Series A. Each funding round, major customer contract, or geographic expansion should trigger a review of your insurance program.
Check your shareholders’ agreement and investor requirements. Many venture capital term sheets require the company to maintain D&O insurance at specified levels. Some also require cyber and PI coverage. Non-compliance is a breach of the investment agreement.
The Bottom Line
Insurance is not about anticipating failure — it is about building a resilient business. Directors face real personal liability under Australian law. Data breaches have mandatory reporting obligations with serious consequences. Customers will hold you accountable when your product does not perform as promised. D&O, cyber, and professional indemnity insurance are not optional extras for Australian startups. They are foundational infrastructure, and the time to put them in place is before the first claim arrives.
