Cyber insurance is getting harder to get and more expensive. Here's what Australian insurers are actually asking for in 2026, and what you need to have in place before your next renewal.
A few years ago, cyber insurance was relatively straightforward. Fill in a basic questionnaire, confirm you had antivirus and a firewall, and you could get a reasonably priced policy. The claims experience across the industry has changed that significantly.
Ransomware claims exploded. Insurers paid out substantial losses. Underwriting got serious. Today, if you are renewing a cyber policy or applying for the first time, you will encounter a much more detailed application process - and if your security posture does not meet the insurer’s requirements, you will either be declined or face exclusions and premium increases that make the policy less useful.
Here is a practical guide to what Australian cyber insurers are looking for in 2026, and what you need to have in place.
Why Cyber Insurance Has Changed
Between 2020 and 2023, ransomware attacks on Australian businesses spiked significantly. The insurance industry absorbed large losses. The response from insurers was predictable: tighten underwriting criteria, increase premiums, and add exclusions for businesses that cannot demonstrate basic security controls.
The result is that cyber insurance is now genuinely risk-based in a way it was not before. Businesses with strong security controls - documented, implemented, and verifiable - can still get good coverage at reasonable premiums. Businesses without these controls face exclusions, sublimits, or declined applications.
What the Application Process Looks Like Now
Modern cyber insurance applications run to several pages and ask specific technical questions. The questions vary by insurer, but the consistent themes are:
Multi-factor authentication (MFA). Every insurer asks about MFA. Most now require MFA to be in place on email (particularly Microsoft 365 and Google Workspace), remote access (VPN, RDP), and privileged administrator accounts. Some require MFA on all accounts. If you answer “no” to MFA questions, expect a significant premium loading or an exclusion for phishing and credential compromise claims.
Endpoint detection and response (EDR). Traditional antivirus is no longer sufficient. Insurers want to know whether you have EDR - security software that monitors endpoint behaviour and can detect threats that antivirus signatures would miss. Products like Microsoft Defender for Business, CrowdStrike, SentinelOne, or similar are what they are looking for.
Backup procedures. The backup questions go beyond “do you have backups?” You will be asked:
- How frequently are backups taken?
- Are backups stored offline or in a separate environment inaccessible from your main network?
- How recently was a backup tested by actually restoring data?
- Are backups encrypted?
An offline or air-gapped backup is now considered essential. Insurers have paid too many claims where ransomware encrypted both the primary data and the backup because both were on the same network.
Patch management. Questions about your patching process - specifically, whether you have a documented schedule and how quickly you apply security patches to critical systems.
Email security. Questions about spam filtering, anti-phishing controls, and email authentication (SPF, DKIM, DMARC). Business email compromise is a major claims category for insurers.
Privileged access management. Whether administrator accounts are separate from day-to-day user accounts, and whether you have controls on who can make administrative changes to your systems.
Incident response. Whether you have a documented incident response plan, and whether you have tested it.
The Controls You Need in Place
Based on current underwriting requirements, here is a minimum set of controls that will satisfy most Australian cyber insurers in 2026:
Mandatory (non-negotiable for most policies):
MFA on all email access - particularly Microsoft 365 or Google Workspace. This is the single most important control for cyber insurance purposes. Phishing attacks that compromise email accounts are the most common entry point for business email compromise, which is a top claims category.
MFA on all remote access - VPN, Remote Desktop, and any other remote access method.
Offline or cloud-isolated backups - at minimum, a daily backup that is stored in a location that ransomware cannot reach from your primary network. Tested quarterly.
Endpoint detection and response on all endpoints - not just antivirus.
Email authentication - SPF, DKIM, and DMARC records configured correctly on your domain. This is a technical requirement that your IT provider should handle, but it is increasingly being asked about on applications.
Strongly recommended:
Privileged access management - separate admin accounts, MFA on all admin access, time-limited privilege elevation.
Security awareness training - documented staff training on phishing and social engineering. Even annual training with a record of completion makes a difference to underwriters.
Documented incident response plan - a written plan for what you do if you have a ransomware attack or data breach. This does not need to be complex - a single page covering who you call, how you isolate affected systems, and how you communicate with customers is a starting point.
Vulnerability scanning - regular scanning of your systems to identify known vulnerabilities. Monthly automated scanning is becoming a standard recommendation.
The Exclusions to Watch For
Even if you obtain a cyber policy, read the exclusions carefully. Common exclusions that have increased in frequency:
Systems without MFA - some policies exclude claims arising from systems that did not have MFA enabled when the incident occurred. If you have even one critical system without MFA and it is breached, the claim may not be covered.
Unpatched systems - similar logic. If a known vulnerability on an unpatched system is exploited, some policies have exclusions or sublimits.
War and nation-state exclusions - controversial in the industry and tested in courts, but many policies include exclusions for attacks attributed to nation-state actors. Given that attribution is difficult and insurers are motivated to attribute attacks to exclude coverage, this is worth understanding.
Social engineering sublimits - some policies have lower coverage limits for business email compromise and social engineering attacks than for ransomware. If your biggest risk is BEC (common for property industry, law firms, and financial services), check this specific sublimit.
Retroactive date gaps - cyber policies typically only cover incidents that begin after the policy retroactive date. If you switch insurers or have a gap in coverage, understand the retroactive date and what it means for incidents that may have started (through initial compromise) before your current policy began.
What to Expect at Renewal
If you are renewing a cyber policy and your security posture has not changed, you may find:
- More detailed questionnaire requirements
- Requests for evidence of controls (screenshots of MFA configuration, backup test records, EDR deployment confirmation)
- Increased premiums reflecting higher market loss ratios
- New exclusions or sublimits
If your security posture has improved - if you have implemented MFA everywhere, deployed EDR, implemented offline backup with tested restores, and documented your security policies - you are in a much stronger negotiating position. Some insurers will ask for evidence from your IT provider confirming these controls are in place.
Getting IT Provider Documentation
This is worth raising with your IT provider specifically. At CX IT Services, we provide clients with a technical security summary document for cyber insurance renewal purposes - a factual record of the security controls implemented, the patch management process, the backup configuration and test results, and the MFA deployment. This document accompanies the insurance application and can significantly improve underwriting outcomes.
If your current IT provider cannot or will not provide this documentation, that is a gap worth addressing - both for insurance purposes and for your own security posture.
The Cost-Benefit Calculation
Cyber insurance premiums for Australian SMBs typically run from $3,000 to $15,000 per year depending on revenue, industry, and security controls. That feels significant, but compare it to the cost of a ransomware recovery: according to published data on ransomware incidents in Australia, the average total cost of a ransomware attack on an SMB - including downtime, recovery, IT costs, reputational damage, and potential regulatory notification - runs to six figures.
The question is not whether you can afford cyber insurance. It is whether your business can absorb a six-figure uninsured loss if the incident occurs. For most Melbourne businesses with 10 to 200 staff, the answer is no.
Implement the controls, get the coverage, and document everything. That is the practical path through the current cyber insurance landscape.
