Cyber insurance requirements have changed drastically. Learn what insurers now demand and how to ensure your business is covered.
Cyber insurance has undergone a fundamental transformation over the past three years. After a wave of significant ransomware claims in 2021-2023, insurers repriced premiums, tightened underwriting requirements, and — most significantly — began refusing to renew policies for organisations that could not demonstrate minimum security controls.
For Melbourne businesses, cyber insurance is increasingly a necessity (it covers breach response costs, legal expenses, business interruption, and third-party claims that would otherwise be catastrophic out-of-pocket). But getting covered — and staying covered — now requires active attention to the security baseline insurers demand.
What Cyber Insurance Actually Covers
Before diving into requirements, it is worth being clear about what a good cyber insurance policy covers:
First-party coverage (your direct losses):
- Incident response and forensics costs
- Data recovery and system restoration
- Business interruption (lost revenue during downtime)
- Ransomware extortion payment (subject to sub-limits and exclusions)
- Notification costs (legally required notifications to affected individuals)
- Regulatory defence costs (OAIC investigations)
Third-party coverage (claims against you):
- Privacy liability (claims from individuals whose data was compromised)
- Network security liability (claims from clients whose systems were affected by your breach)
- Media liability (defamation, intellectual property infringement in digital content)
What most policies exclude:
- Intentional acts or fraud by employees (or, in some policies, any insider threat)
- War and nation-state attacks (the “cyber war” exclusion has expanded significantly)
- Known vulnerabilities that were not patched
- Pre-existing incidents discovered after the policy inception date
What Insurers Now Require
The underwriting questions on cyber insurance applications have expanded dramatically. In 2026, insurers are asking specifically about:
Multi-Factor Authentication
MFA is now effectively mandatory for cyber insurance. Specifically:
- MFA on email (Microsoft 365 / Google Workspace)
- MFA on remote access (VPN, RDP)
- MFA on privileged/admin accounts
- Increasingly: MFA on all user accounts without exception
Policies have been declined for organisations that cannot confirm MFA on email and remote access.
Endpoint Detection and Response (EDR)
Basic antivirus is no longer sufficient. Insurers want to see EDR — behaviour-based endpoint security that detects threats that signature-based antivirus misses. Microsoft Defender for Business (included in M365 Business Premium) or dedicated EDR products (CrowdStrike, SentinelOne) satisfy this requirement.
Patch Management and Vulnerability Management
Insurers ask about patching cadence: how quickly are critical vulnerabilities patched? The Essential Eight framework’s patch requirements (critical internet-facing systems within 48 hours) is the benchmark most insurers reference.
Backup Strategy
Questions about backup are now detailed:
- How often are backups taken?
- Are backups tested? How frequently?
- Are backups stored offsite and isolated from the production environment (immutable)?
- What is the Recovery Time Objective and has it been tested?
An organisation that cannot confirm immutable, tested backups is a higher risk profile for ransomware claims.
Email Security
- SPF, DKIM, and DMARC configured (particularly DMARC at enforcement policy)
- Anti-phishing controls (Microsoft Defender for Office 365 or equivalent)
- Email filtering for malicious attachments and links
Security Awareness Training
Documented, regular security awareness training for all staff is increasingly required — not as a suggestion, but as a specific underwriting question.
Incident Response Plan
A documented incident response plan indicates organisational maturity. Some insurers include their own IR template and require confirmation it has been reviewed and understood.
How to Prepare for Your Renewal
Cyber insurance renewals now require preparation, not just form completion.
Step 1: Conduct a pre-renewal security assessment Identify gaps between your current security posture and what insurers require. Address the most significant gaps before submitting the renewal application.
Step 2: Document your controls Insurers are asking for evidence, not just assertions. Document:
- Your MFA deployment (screenshot of Conditional Access policy, if using Entra ID)
- Your EDR deployment (screenshot of managed device count and coverage)
- Your backup testing log (dates and results of restore tests)
- Your patch compliance report (from your RMM tool)
- Your security awareness training records
Step 3: Work with a specialist broker Cyber insurance is a specialist product. A general insurance broker who handles your business pack alongside cyber is less equipped to navigate the nuances of cyber underwriting than a specialist cyber broker. Specialist brokers include Emergence Insurance, Honan, and several others operating in the Australian market.
Step 4: Review policy exclusions carefully The cyber war exclusion, the known vulnerability exclusion, and the intentional acts exclusion are the three most likely to apply in a real claim. Understand what your policy does and does not cover before you need it.
Cost Expectations
Cyber insurance premiums vary significantly based on revenue, industry, data volume, and security posture. As a rough guide for Melbourne SMBs:
- $1-5M revenue: $2,000-$8,000 per year
- $5-20M revenue: $5,000-$25,000 per year
- $20-50M revenue: $15,000-$60,000 per year
Premiums are higher for healthcare, legal, financial services, and any organisation handling significant personal data volumes. Organisations with demonstrably strong security controls can negotiate better rates.
CX IT Services helps Melbourne businesses prepare for cyber insurance underwriting by implementing and documenting the security controls insurers require. Book a Right Fit Call to discuss your cyber insurance readiness.
