The Australian SMB Guide to Cyber Insurance
Requirements have changed dramatically since 2022. If you haven't reviewed your policy or your qualifying controls recently, you may be uninsured when you need it most.
Why It Matters Now
Cyber Insurance Has Changed - Most SMBs Haven't Kept Up
In 2019, cyber insurance was a nice-to-have that most SMBs could get by ticking a few boxes. In 2026, insurers have dramatically tightened requirements. Policies that automatically renewed for years are now being declined or voided at claim time.
The average cost of a ransomware incident for an Australian SMB is now over $270,000 - before accounting for downtime, reputation damage, and customer notification obligations under the Privacy Act.
2026 Requirements
What Insurers Now Require
These are the controls that most major Australian cyber insurers now require as a minimum. Missing any one of these can void a claim.
Multi-Factor Authentication
RequiredOn all email, remote access, admin accounts, and cloud services. SMS-based MFA is no longer sufficient for some insurers.
Endpoint Detection & Response (EDR)
RequiredTraditional antivirus is no longer acceptable. EDR solutions like SentinelOne or CrowdStrike are now commonly required.
Tested Offsite Backups
RequiredBackups must be isolated (not accessible via the same credentials), recent, and actually tested for restoration.
Patch Management
RequiredCritical patches applied within 30 days. Some insurers ask for 14 days. Manual processes are a red flag.
Privileged Access Management
RequiredAdmin accounts must be separate from daily-use accounts. Shared admin passwords are a claim-killer.
Email Security Controls
RequiredSPF, DKIM, and DMARC records configured. Email filtering with anti-phishing capabilities.
Incident Response Plan
RecommendedA documented plan for what to do when (not if) an incident occurs. Insurers increasingly ask to see this.
Staff Security Training
RecommendedRegular phishing simulations and security awareness training. Annual training is the minimum accepted.
Claim Killers
Why Claims Get Denied
These are the most common reasons Australian businesses are denied cyber insurance claims - even when they thought they were covered.
Misrepresentation at Renewal
You said "yes" to MFA on your application, but it wasn't fully deployed. Insurers investigate before paying and this is the #1 reason claims are voided.
Known Vulnerabilities Unpatched
If your systems had a known critical vulnerability that was unpatched for more than 30 days, the insurer may argue you failed your duty of care.
No Incident Response Plan
Some policies explicitly require a documented IR plan. Without one, or if you deviated from your stated plan, claims can be challenged.
Shared Admin Credentials
A single compromised account that had access to everything is a signal of gross negligence. Insurers look for this pattern in forensics.
Unencrypted Backup Storage
Backups that were online, accessible via the same credentials as production systems, or unencrypted may not qualify as "tested backups."
Late Incident Notification
Most policies require you notify the insurer within 24-72 hours of discovering an incident. Missing this window is grounds for denial.
Are You Actually Insurable?
Book a free 15-minute Right Fit Call. We'll assess your current controls against insurer requirements and tell you exactly what needs fixing.
- No lock-in contracts - ever
- Valued at $250 - completely free
- 4.5-star Google rated
- Answer in 60 seconds or less
Book Your Free Right Fit Call
Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.