Cyber Security

By Cameron Ross · Published 28 May 2026 · Updated 28 May 2026

Cyber Insurance in Australia: What IT Controls You Actually Need

Cyber insurance has changed dramatically in the last five years. After the Medibank, Optus, Latitude and dozens of smaller Australian breaches, insurers have tightened their underwriting hard. The "tick a box and pay a premium" days are over — you now have to demonstrate real IT controls, and if you can't, either no insurer will quote you, the premium will be eye-watering, or worse, you'll have a policy that quietly won't pay out when you need it. Here's what's actually required, why claims get denied, and the realistic path to meeting the prerequisites.

Why Cyber Insurance Now Matters

A few hard numbers from public Australian sources (ASD ACSC Annual Cyber Threat Report, OAIC Notifiable Data Breaches reports):

Cybercrime reports to the ACSC have grown each year since 2020
The OAIC's Notifiable Data Breaches reports consistently show small business as a major reporting cohort
Ransomware demands on Australian SMBs typically range from tens of thousands to mid-six figures
Even without ransom payment, the cost of recovery (downtime, forensics, notifications, lost data, reputation damage) regularly runs $50,000+ for a small business
Mandatory breach notification under the Privacy Act adds legal and PR costs to the equation

For most SMBs, the question isn't "do we need cyber insurance" — it's "can we get cover, at what price, and what will the insurer want first?"

What Insurers Actually Ask About

Most Australian cyber insurance applications (CGU, Chubb, Emergence, Solution Underwriting and others — applications evolve regularly) include a security questionnaire. The same handful of controls appear on almost every one:

1. Multi-Factor Authentication (MFA)

The question: "Is MFA enabled on all administrator accounts, all remote access, and all email accounts?"

The reality: A "no" here will either price you out or get the application declined. MFA on email is the absolute baseline — Microsoft 365 and Google Workspace both make it free. See our MFA explainer. There is no insurer in 2026 still writing meaningful cyber cover without MFA in place.

2. Endpoint Detection & Response (EDR)

The question: "Do you have EDR / managed detection deployed on all devices?"

The reality: Old-school antivirus (free Defender, basic AVG, Norton) is no longer enough for most insurers. EDR means something that watches behaviour, can isolate a compromised machine, and feeds alerts to humans — Microsoft Defender for Business, SentinelOne, CrowdStrike, Sophos Intercept X, etc. Around $5–$15/device/month managed.

3. Backups (Specifically, Immutable Off-site Backups)

The question: "Are backups taken daily, stored off-site, immutable, and tested?"

The reality: A USB hard drive on the manager's desk isn't a backup, and insurers know it. They want: daily, off-site, immutable (can't be deleted by ransomware that gets your admin password), and tested at least annually. See our NAS vs cloud backup and 3-2-1 backup articles.

4. Patch Management

The question: "Are operating systems and applications patched within X days of release?"

The reality: Insurers typically want 14 days for critical patches, 30 for the rest. They'll ask if you have a managed patching solution. Auto-update everywhere + monthly verification is the minimum standard.

5. Security Awareness Training

The question: "Do all staff receive annual cyber security awareness training, including phishing simulations?"

The reality: Most insurers want documented, evidenced annual training. Phishing simulation (testing whether your staff click fake phishing emails) is now common as well. See our IT training service.

6. Privileged Access Controls

The question: "Are admin accounts separated from daily-use accounts? Is admin access MFA-protected?"

The reality: No staff should be doing email and admin work in the same Windows session. Separate admin accounts. MFA on admin. Limited admin scope.

7. Email Filtering and Spoofing Protection

The question: "Are SPF, DKIM and DMARC configured? Do you have advanced email filtering (Microsoft Defender for Office 365, Proofpoint, Mimecast)?"

The reality: Most insurers expect at minimum SPF and DKIM properly configured. DMARC at "reject" policy is increasingly required. Without these, your email can be spoofed and you're an easier target.

8. Network Segmentation and Remote Access

The question: "Is remote access restricted, MFA-protected, and not via open RDP?"

The reality: No public-facing RDP, ever. Remote access via VPN with MFA, or via cloud (Microsoft 365 only, no on-prem to expose). Guest Wi-Fi separated from the business network.

9. Incident Response Plan

The question: "Do you have a documented incident response plan?"

The reality: A one-page document is enough for most SMBs. Who you call (us, your insurer's response team, your legal advisor), what you do in the first hour, where the contact list is when email is down.

The pattern: Notice these requirements look a lot like the ACSC Essential 8. They're not identical, but the overlap is enormous. Hitting Essential 8 Maturity Level 1 will get you through the prerequisite questionnaire for almost any Australian cyber insurer. The same investment serves both purposes.

Common Reasons Claims Are Denied

Insurers don't deny claims for fun, but they will deny them if you weren't doing what you said you were doing on the application. Real-world examples we've seen or heard discussed by brokers:

MFA was claimed but not enforced. Application said "MFA on all accounts". Breach happened via an account without MFA — claim contested or denied.
Backups not actually working. "Daily backups" checkbox ticked. After ransomware, restore attempt fails because backups had been failing silently for 6 months — claim affected.
Out-of-support software. Windows Server 2012 still running long past end of support — most policies exclude losses traceable to unpatched, unsupported systems.
Inadequate access controls. Generic admin account shared by 5 staff. After breach, can't determine who was compromised. Insurer pushes back.
Failure to notify. Most policies require notification to the insurer within 24–72 hours of discovering an incident. Delays can void cover.
Pre-existing condition. Compromise had been present in the network before the policy started — claim excluded.
Social engineering exclusions. Some policies don't cover "fraudulent funds transfer" (where staff are tricked into transferring money) unless specifically endorsed. Read the fine print.

How to Approach Cyber Insurance Properly

1. Get the IT controls in place first

Trying to fudge a security questionnaire to get a policy is a recipe for a denied claim down the track. Have the controls in place, document them, then apply.

2. Use a broker who specialises in cyber

A general insurance broker who handles cyber as a sideline will quote you whatever's available. A specialist will know which insurers like which industries, which exclusions matter, and how to negotiate sub-limits (forensics, breach response, business interruption).

3. Understand the sub-limits

A "$1 million" cyber policy might have $50,000 for forensic investigation, $100,000 for business interruption, $25,000 for cyber extortion. The total is rarely the meaningful number.

4. Maintain evidence of compliance

Keep records of training completion, patching reports, MFA enrolment, backup test logs. We provide these as standard monthly reports for managed clients — see our managed IT services. If you ever claim, you'll need them.

5. Notify your insurer fast if you suspect a breach

Don't sit on it for a week. Most policies require prompt notification and many provide a 24/7 incident response hotline.

How We Help Clients Meet Prerequisites

For Townsville businesses, this is one of the most common reasons we get called in:

Insurance questionnaire gap analysis. Run through the insurer's questionnaire honestly, identify what you've got vs what they want, scope the work to close gaps.
Implementation. MFA, EDR, immutable backups, patch management, hardening — usually a 30–60 day project for a typical small business.
Documentation. Policies, evidence, monthly reports — what insurers want to see at renewal and at claim time.
Incident response support. If something does happen, we work alongside your insurer's response team rather than against them.

See our cyber security page for the broader offering.

Insurance Application or Renewal Looming?

We'll review your insurer's security questionnaire with you honestly, identify what's missing, and give you a costed plan to close the gaps. Saves you a denied claim later.

Cyber Security → 📞 0408 777 938

Frequently Asked Questions

How much does cyber insurance cost for a small business in Australia?

Hugely variable depending on industry, revenue, controls in place. For a typical 5–20 staff SMB with reasonable controls, expect $2,500–$8,000/year. Without the controls in place, often double that, or unable to find cover at all.

Do we need cyber insurance if we have business insurance?

Standard business insurance generally does not cover cyber events meaningfully. Some include token cyber sub-limits ($10,000 or so) which won't touch the sides of a real ransomware incident. If cyber matters to you, get a dedicated cyber policy.

What about ransom payments — are they covered?

Some policies cover ransom payments, some don't. There are also legal and regulatory considerations around paying ransoms (sanctions, OFAC equivalents). The smarter answer is to have backups good enough that you don't need to pay.

If we get hacked, who do we call first?

Your insurer's incident response hotline (most provide one 24/7). Then your IT provider (us). Then your legal advisor if customer data is involved. Then, depending on the incident, the OAIC and/or police. Our email hacked guide walks through this.

Will the insurer require a managed IT provider?

Increasingly yes — either implicitly (the prerequisites are hard to meet without one) or explicitly. Some questionnaires now ask directly whether IT is managed by an external provider.