Cyber Insurance Australia: What Your Insurer Actually Checks

Cyber insurance in Australia has changed dramatically in the past three years. Where policies were once relatively easy to obtain, insurers have tightened their requirements significantly — driven by a surge in ransomware claims, large-scale data breaches, and rising claim costs. Today, simply wanting a policy isn't enough. You need to demonstrate that your business is actually managing its cyber risk.

If you're looking to take out cyber insurance, renew an existing policy, or understand why your premium has jumped, this guide explains exactly what Australian underwriters look for and how to prepare your business.

Why Cyber Insurance Underwriting Has Become Stricter

The shift began around 2020-2021, when ransomware attacks surged globally and insurers found themselves paying out far more than expected. Locally, high-profile incidents affecting Medibank, Optus, Latitude Financial, and dozens of smaller Australian businesses demonstrated just how expensive a breach can be. Insurers responded by:

• Introducing mandatory security controls as conditions of cover
• Adding detailed security questionnaires to renewal and new application processes
• Reducing cover limits and increasing premiums in high-risk categories
• Excluding certain types of incidents (such as "war exclusions" for state-sponsored attacks)

The result is that businesses that can demonstrate strong cyber hygiene are rewarded with better premiums and broader cover, while those that can't meet baseline standards may find cover unavailable or prohibitively expensive.

The Security Controls Insurers Check

1. Multi-Factor Authentication (MFA)

MFA is now effectively non-negotiable. Most Australian cyber insurers require MFA to be enabled on:

• Email (Microsoft 365, Google Workspace)
• Remote access tools and VPNs
• Cloud services and administrative accounts
• Financial and banking platforms

If MFA is not in place on these systems at the time of an incident, your insurer may deny or reduce your claim on the basis that you breached a policy warranty.

2. Patch Management and Software Updates

Insurers want to see that your operating systems, applications, and network devices are kept up to date. Unpatched systems are among the most common entry points for attackers. The Australian Signals Directorate (ASD) consistently ranks patching as one of the highest-impact security controls — it's a core part of the Essential Eight framework for exactly this reason.

3. Backup and Recovery Capability

Ransomware attacks are among the most expensive types of cyber incidents. Insurers want to know:

• How frequently you back up your data
• Where backups are stored (ideally off-site or in immutable cloud storage, not on the same network)
• Whether you test restores regularly
• How long it would take to recover from a total loss

Without a solid, tested backup process, your insurer may either decline cover for ransomware events or significantly increase your premium.

4. Endpoint Protection

Basic antivirus is no longer sufficient. Insurers increasingly require endpoint detection and response (EDR) tools on all devices used for business purposes — including staff laptops and any devices that access company email or systems.

5. Incident Response Planning

Do you have a documented process for what to do when something goes wrong? Insurers want to see that you've thought through your response before an incident happens — including who is responsible, who to notify, and how to preserve evidence. Under Australia's Notifiable Data Breaches (NDB) scheme, businesses covered by the Privacy Act have a 30-day window to assess and report eligible data breaches to the OAIC. Having a plan means you can act within that window rather than scrambling from scratch.

6. Staff Security Awareness

Many insurers now ask whether your staff have received cyber security training in the past 12 months. Phishing remains the number one initial access vector in Australia. Businesses that run regular security awareness training — even short, informal sessions — demonstrate to underwriters that they're addressing the human risk factor.

The Application and Renewal Process

When you apply for or renew a cyber insurance policy in Australia, expect to complete a detailed security questionnaire. This typically covers:

• Your business size, revenue, and industry
• The types of personal and financial data you hold
• Your MFA and authentication practices
• Your backup and recovery arrangements
• Whether you've had any prior incidents or claims
• Your endpoint protection tools
• Whether you've conducted any security assessments

Misrepresenting your security posture on this questionnaire — even unintentionally — can void your policy. Be honest, and where your security has gaps, disclose them and show what steps you're taking to address them.

How to Prepare Your Business Before Applying

The best time to address your cyber posture is before you need insurance — not after you've had an incident. Before applying or renewing, work through this checklist:

1. Enable MFA on all email accounts, cloud services, and remote access tools
2. Ensure all software and operating systems are on supported versions with auto-updates enabled
3. Implement a regular backup process with off-network or cloud storage and test restores
4. Deploy endpoint protection software on all business devices
5. Document a basic incident response procedure
6. Run at least one cyber security awareness session with your team
7. Conduct a self-assessment against the ACSC's Essential Eight framework

The Link to the Essential Eight

The ASD's Essential Eight framework aligns closely with what most cyber insurers require. If your business can demonstrate that you're working toward Essential Eight Maturity Level 1 or above, you're well positioned for underwriting conversations. Some insurers now explicitly ask about Essential Eight compliance on their application forms.

Key Takeaways

• Cyber insurance underwriting in Australia has become significantly more rigorous since 2021 — policies now come with security requirements, not just premiums.
• MFA, patching, backups, and endpoint protection are baseline requirements for most Australian cyber insurers.
• Misrepresenting your security posture on an application can void your policy at claim time.
• Aligning with the ACSC's Essential Eight framework is a practical way to meet most insurer requirements.
• An incident response plan helps you meet your obligations under the Notifiable Data Breaches scheme — and demonstrates maturity to your insurer.

Not sure how your business stacks up against what insurers expect? Take the free cyber risk assessment at flagged.com.au to get a clear picture of your current security posture and identify the gaps most likely to affect your insurability.