Getting cyber insurance in Australia used to be straightforward. Answer a few questions about your industry and headcount, pay the premium, and move on. That era is over.
Underwriters are now running technical questionnaires that run to 40+ questions, and the answers directly affect your premium, your coverage limits, and whether you get a policy at all. Businesses that assume their existing IT setup is "good enough" are routinely getting declined, loaded with higher premiums, or finding out at claim time that a coverage exclusion applies to exactly what happened to them.
Why the requirements tightened
The short answer is claims. Australian insurers absorbed significant losses from ransomware incidents over the past three years and responded by getting specific about the controls they expect. Lloyd's of London syndicates, which underwrite a large share of Australian cyber policies, introduced new exclusion clauses in 2023 that continue to flow through local policy wordings.
The mandatory reporting obligations under the Notifiable Data Breaches scheme compound this. Once a breach occurs, the OAIC and potentially ASIC are involved alongside the insurer. That regulatory exposure gets priced into your premium.
The questionnaire you fill out today is a technical assessment in disguise. If your answers reveal weak controls, you will pay for it.
The checklist: what underwriters ask for
The following controls appear consistently across the major Australian and Lloyd's-backed cyber policies. These are the questions you need to be able to answer confidently.
Multi-factor authentication (MFA)
MFA is the most scrutinised control on every application we have seen. Underwriters ask:
- Is MFA enabled on all email accounts (Microsoft 365, Google Workspace)?
- Is MFA required for all remote access, including VPN and RDP?
- Is MFA enforced on all privileged and admin accounts?
Note the word "all." Answering yes for most accounts but not all is treated similarly to answering no. A single admin account without MFA is a known ransomware entry point, and underwriters know it.
Endpoint detection and response (EDR)
Traditional antivirus is no longer sufficient. Underwriters now ask specifically whether you have EDR deployed across all endpoints. EDR tools like CrowdStrike, SentinelOne, and Microsoft Defender for Business monitor for behavioural indicators of compromise, not just known malware signatures.
If your business is still running legacy antivirus, expect this to flag on your application.
Backups: immutable, off-network, tested
Underwriters have seen too many claims where backups were encrypted alongside production data. The questions now focus on:
- Are backups stored somewhere your primary systems cannot reach?
- Are backups immutable, meaning ransomware cannot modify or delete them?
- Have you tested a restore recently?
Cloud backups that sync to the same Microsoft 365 tenant, or backup software mapped as a network drive, do not satisfy this requirement. Underwriters want true separation.
Vulnerability and patch management
You will be asked how quickly your business patches critical vulnerabilities on internet-facing systems. Most underwriters want critical patches applied within 48 hours on externally exposed assets and within two weeks for internal systems.
Some insurers now run automated external scans of your domain during the application process. If they find unpatched vulnerabilities before you disclose them, that is a problem.
Privileged access management
Underwriters ask whether administrator accounts are used for day-to-day tasks like email and browsing. Dedicated admin accounts that are only used for administrative work reduce the damage from a credential compromise.
They also ask about password manager usage and whether shared credentials exist across systems.
Incident response plan
Underwriters want a written plan, not an informal process. Specifically they ask:
- Does a written plan exist?
- Have staff been briefed on it?
- Does it include escalation contacts, including legal counsel and a forensic IR firm?
Under the Notifiable Data Breaches scheme, you have 30 days to notify the OAIC after becoming aware of a likely eligible breach. Your incident response plan should cover that process explicitly.
Security awareness training
Most applications ask whether staff receive regular phishing awareness training. Annual or quarterly delivery is typical. It does not need to be elaborate, but you need to be able to demonstrate it happens.
How this maps to the Essential Eight
The Essential Eight, published by the Australian Signals Directorate, was built around the techniques attackers actually use for initial access and privilege escalation. The overlap with the underwriter checklist is deliberate on both sides.
| Underwriter requirement | Essential Eight control |
|---|---|
| MFA on all accounts | Multi-factor authentication |
| EDR on all endpoints | Restrict admin privileges + application control |
| Immutable off-site backups | Regular backups |
| Patch critical vulnerabilities within 48 hours | Patch applications + patch operating systems |
| No admin access for daily tasks | Restrict admin privileges |
| Application allow-listing | Restrict execution of macros + application control |
A business at Essential Eight Maturity Level 1 will generally satisfy the minimum requirements for most Australian cyber policies. Some insurers are now asking for Maturity Level 2 for businesses in healthcare, legal, and financial services.
If you have had a formal Essential Eight assessment, include the report in your insurance application. It streamlines underwriting and can support a lower premium.
What actually fails businesses at renewal
We see the same gaps come up repeatedly.
MFA on legacy systems is the most common problem. A business might have MFA on Microsoft 365 but an old remote desktop portal or legacy accounting software that still runs on username and password. That is the exact scenario underwriters look for, because it is the exact scenario attackers use.
Backups that are not truly isolated are a close second. Cloud-to-cloud tools that copy Microsoft 365 data into another Microsoft 365 account, or backup software running as a mapped drive on the server, do not pass. The test is simple: if ransomware on your network could reach the backup, it does not count.
No EDR on all devices catches businesses that have EDR on most machines but not the old laptop at reception or the director's personal computer that connects to the VPN. A handful of unmanaged devices is often enough to trigger an exclusion.
No written incident response process surprises a lot of owners. Many businesses have informal routines that would probably work. But insurers want documentation, because it is proof that staff know what to do in the first 30 minutes, which is when the difference between a contained incident and a full breach gets decided.
Slow patching on internet-facing systems is the last common failure. If you are running a public-facing firewall or remote access gateway on firmware that is more than a month out of date, automated scans will find it before you disclose it.
What to do before you apply or renew
If your renewal is within 90 days, or you are shopping for a first policy, focus on these five things.
-
Pull an MFA coverage report from your Microsoft 365 admin centre or Google Workspace. Check every account, not just staff accounts. Fix any gaps before you submit.
-
Ask your IT provider specifically whether your backups can be deleted or encrypted if your primary systems are compromised. If the answer is unclear or hedged, treat it as a gap.
-
Verify that an EDR product is deployed on every managed endpoint, including workstations that rarely connect to the office network. This is easy to miss during staff turnover.
-
Write down your incident response process. Two pages covering who to call, how to isolate a compromised device, and your NDB notification steps is enough. It does not need to be a 40-page document.
-
Run an external scan on your public IP range. Tools like Shodan will show you what automated underwriter scans will find. Fix critical findings before you apply.
If you want a documented baseline rather than a self-assessment, a formal security assessment will map your current controls against the Essential Eight maturity levels and give you a gap report you can hand to your broker.
The point of all this
Cyber insurance transfers residual risk. It is not a substitute for controls, and good underwriters will say the same.
The businesses that get the best coverage at the lowest premiums can demonstrate strong controls. A business that applies with weak controls and somehow gets a policy will almost certainly find that the exclusions in the fine print apply at exactly the wrong moment.
Getting your controls in order before applying is about making sure the policy pays out when you actually need it. That is the only reason to have one.
Not sure where you stand?
A Cubit Cyber security assessment will tell you before your next renewal. We have responded to enough ransomware incidents to know exactly which gaps underwriters find, because they are the same gaps attackers find first.
We document your current maturity level against the Essential Eight, identify the gaps most likely to affect your insurability, and give you a prioritised remediation plan.