Cyber Insurance Requirements in Australia

Australian cyber insurance providers now require specific security controls before issuing coverage — here's what you need

Cyber insurance premiums in Australia increased by 56% in 2024-2025, and insurers are no longer offering blanket coverage. Most Australian cyber insurance providers now require businesses to demonstrate specific security controls before issuing or renewing a policy. Without these controls, you'll either pay significantly higher premiums or be denied coverage entirely.

What insurers are asking for

Multi-factor authentication (MFA)

This is the single most common requirement. Nearly every Australian cyber insurer now requires MFA on:

• Email accounts (Microsoft 365, Google Workspace)
• Remote access (VPN, RDP)
• Administrative accounts (domain admin, cloud admin)
• Financial systems (banking, accounting software)

SMS-based MFA is accepted but increasingly, insurers prefer phishing-resistant MFA (hardware keys, authenticator apps).

Endpoint detection and response (EDR)

Basic antivirus is no longer sufficient. Insurers want EDR solutions that provide real-time monitoring, threat detection, and automated response on all endpoints (laptops, desktops, servers).

Regular patching

Demonstrated patch management — evidence that critical patches are applied within 48 hours and all other patches within 14 days. This aligns with the ASD Essential Eight requirements.

Backup and recovery

Documented backup procedures with:

• Automated daily backups
• Offsite or offline storage (protection against ransomware)
• Tested restoration within documented recovery time
• Minimum 30-day retention

Security awareness training

Evidence that staff receive regular cybersecurity training, particularly around phishing awareness. Some insurers require annual training with completion records.

Incident response plan

A documented plan for responding to cyber incidents, including:

• Roles and responsibilities
• Communication procedures
• Containment and eradication steps
• Recovery procedures
• OAIC notification process (Notifiable Data Breaches scheme)

How security assessments reduce premiums

Insurers offer premium reductions for businesses that can demonstrate proactive security measures:

• Recent VAPT report — a penetration test report from the last 12 months with evidence of remediation typically reduces premiums by 10-20%
• Essential Eight alignment — demonstrating Maturity Level 1 or above signals a risk-aware business
• ISO 27001 certification — the strongest signal, but expensive and typically only pursued by larger businesses
• SOC 2 Type II report — relevant for SaaS and technology companies

What happens without coverage

An uninsured cyber incident can be catastrophic for an SMB:

• Average cost of a data breach in Australia — $4.26 million (IBM/Ponemon 2025)
• Average cost for SMBs — $46,000+ per incident (ACSC)
• Business interruption — average downtime of 21 days after a ransomware attack
• Regulatory penalties — Privacy Act penalties up to $2.22 million per contravention for individuals, $50 million for corporations
• Reputational damage — customer trust is difficult to rebuild after a breach

The pre-insurance security checklist

Before applying for or renewing cyber insurance:

• ☐ MFA enabled on all email, remote access, and admin accounts
• ☐ EDR/antivirus on all endpoints with current definitions
• ☐ Patch management process documented and followed
• ☐ Automated daily backups with offsite storage
• ☐ Backup restoration tested within last 6 months
• ☐ Staff security awareness training completed (last 12 months)
• ☐ Incident response plan documented
• ☐ VAPT or security assessment completed (last 12 months)
• ☐ Privacy policy published and compliant with Privacy Act 1988
• ☐ Data breach notification process documented (NDB scheme)