Cyber Insurance Requirements in Australia: Security Controls Checklist

Your business faces a ransomware attack. You file a cyber insurance claim, only to discover the policy won’t pay out because you didn’t implement multi-factor authentication (MFA) for admin accounts. This is now a common scenario in Australia as insurers tighten requirements. Over the past three years, Australian cyber insurance premiums have increased 30-50% annually while coverage limits have decreased. Insurers now require detailed security questionnaires, and failing to meet baseline controls means limited coverage, significantly higher premiums, or exclusions for common attacks such as ransomware.

This guide covers what Australian cyber insurers expect, how to prepare for their questionnaires, and the security controls that directly impact your premiums.

Cyber Insurance in Australia

Key trends for Australian businesses: Cyber insurance is now driving compliance rather than being used by businesses as a risk transfer mechanism. If you can’t demonstrate basic controls, you’re uninsurable.

Stricter underwriting: Insurers now require evidence of security controls before issuing policies
Essential 8 expectations: Many insurers explicitly reference ACSC’s Essential 8 framework
Ransomware exclusions: Policies increasingly exclude ransomware if you lack MFA, backups, or endpoint protection
Retroactive exclusions: Claims denied if you misrepresented your security posture during application

Common Security Requirements Across Insurers

While each insurer has specific questionnaires, these controls appear consistently across Australian cyber insurance applications:

1. Multi-Factor Authentication (MFA)

MFA enforced for email access (particularly Office 365, Google Workspace)
MFA required for all remote access (VPN, remote desktop, cloud services)
MFA required for privileged/admin accounts
Documented MFA policy

Why insurers care: Business Email Compromise (BEC) and credential-based attacks represent the majority of claims. MFA blocks 99% of these attacks.

2. Endpoint Security

Antivirus/EDR deployed on all endpoints (desktops, laptops, servers)
Regular automated signature updated
Centralised management and monitoring
Evidence of regular scans and reviews of alerts
Managed EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) (Not just traditional antivirus signature-based detection insufficient)

3. Backup and Recovery

Regular backups (daily minimum for critical systems)
Offline or immutable backups (protection from ransomware)
Documented backup retention policy (30-90 days typical)
Tested restoration procedures
Backup schedule documentation & testing results

Critical detail: Insurers increasingly require offline backups. If ransomware can reach your backups via the network, they don’t count for insurance purposes.

4. Patch Management

Insurer requirement:

Security patches applied within 30 days for critical systems
Operating system and application patching documented
Vulnerable systems identified and remediated

Australian context: Essential 8 Maturity Level 2 requires patching within 2 weeks for extreme-risk vulnerabilities, within 1 month for high-risk. Insurers align with this timeline.

5. Email Security

Spam and phishing filtering
Email authentication (SPF, DKIM, DMARC configured)
Link and attachment scanning
Security awareness training for staff (phishing simulations)

Why this matters: Email-based attacks (BEC, phishing, malicious attachments) drive 70%+ of Australian cyber insurance claims.

6. Access Control

Privileged account management (who has admin rights, how are they controlled)
Principle of least privilege enforced
Departing employee access revocation process
Regular access reviews

Common failure point: Many SMBs have multiple staff with admin rights across systems without documentation or justification. Insurers view this as high risk.

7. Incident Response Planning

Documented incident response plan
Defined roles and escalation procedures
Contact information for external support (legal, forensics, PR)
Evidence of testing or tabletop exercises

Insurer expectation: You don’t need a 50-page plan, but you must demonstrate you’ve thought through the first 72 hours after a breach.

Essential 8 and Australian Cyber Insurance

The ACSC’s Essential 8 framework is the de facto baseline for Australian cyber insurance. Many insurers now explicitly ask: “Are you implementing the Essential 8?”

Essential 8 mitigation strategies:

Application control (whitelist approved applications)
Patch applications (within timelines for risk level)
Configure Microsoft Office macro settings (block or limit macros)
User application hardening (disable unnecessary features)
Restrict administrative privileges
Patch operating systems
Multi-factor authentication
Regular backups

Maturity level expectations:

Maturity Level 1: Minimum expectation for basic cyber insurance (most SMBs)
Maturity Level 2: Often required for lower premiums or higher coverage limits
Maturity Level 3: Rare for SMBs, typically only for enterprises or government contractors

If you’re targeting cyber insurance, Essential 8 compliance should be your first priority. Learn more about Essential 8 implementation in our Essential 8 Compliance Guide.

What Happens If You Don’t Meet Requirements

Scenario 1: Denied coverage - Insurers simply decline to offer a policy. This is common for businesses with no MFA, no backups, or prior ransomware incidents
Scenario 2: Ransomware exclusions - Policy issued but excludes ransomware claims
Scenario 3: Sub-limits - Coverage capped for specific incident types. Example: $1M total coverage, but only $250K for ransomware
Scenario 4: Higher premiums - Policy issued at 30-50% higher premium due to perceived risk
Scenario 5: Claim denial - Policy issued, incident occurs, claim denied due to misrepresentation or failure to maintain controls

Getting Coverage: Practical Steps

For businesses without cyber insurance:

Conduct a gap assessment against Essential 8 baseline controls
Implement MFA, backups, and endpoint protection (the “must-haves”)
Document your security policies and controls
Engage a broker familiar with Australian cyber insurance market
Be honest in the application—address gaps openly

For businesses with existing coverage:

Review your policy annually (requirements change)
Verify you still meet the controls you claimed during application
Notify your insurer of significant changes (new systems, acquisitions, incidents)
Test your incident response plan—your insurer may require this

Consider an Essential 8 assessment: Many insurers now request evidence of Essential 8 compliance. An independent assessment provides documentation you can submit with applications and demonstrates maturity.

Eviant provides Essential 8 assessments starting at $5,000. Contact us to discuss your requirements.

Key Takeaways

Australian cyber insurers require evidence of security controls before issuing policies—expect detailed questionnaires covering MFA, backups, endpoint security, and patching.
Essential 8 compliance is the baseline for most Australian insurers. Maturity Level 1 is often the minimum for standard premiums; Level 2+ can reduce costs by 10-20%.
Three “must-have” controls: Multi-factor authentication (all remote access and admin accounts), offline/immutable backups (tested regularly), and endpoint detection and response (not just antivirus).
Answer questionnaires honestly. Misrepresenting your security posture leads to claim denials when you need coverage most.
Premiums reflect risk. Lack of MFA, no backups, or prior incidents increase premiums 30-50%. Demonstrating maturity reduces costs.
Insurance is not a substitute for security. Policies have deductibles, sub-limits, and exclusions. Your goal should be preventing incidents, not just transferring risk.

Need help assessing your security posture for cyber insurance requirements? Contact Eviant for Essential 8 assessments and security reviews aligned with Australian insurer expectations.