Cyber Insurance: What Australian Businesses Need to Qualify

Cyber insurance policies typically provide two categories of coverage: first-party and third-party. First-party coverage reimburses your client for their own losses — incident response costs, forensic investigation, data recovery, business interruption losses during downtime, ransomware extortion payments (where legally permissible), notification costs under the Notifiable Data Breaches scheme, and crisis communications or public relations expenses. Third-party coverage protects against claims made by others — lawsuits from affected customers, regulatory fines and penalties (to the extent insurable under Australian law), and legal defence costs. Some policies also cover PCI DSS fines and assessments for businesses that handle payment card data.

It is critical to understand what cyber insurance does not cover. Most policies exclude losses from unpatched known vulnerabilities, failure to maintain minimum security controls, acts of war or state-sponsored attacks (though this exclusion is increasingly contested), and prior known incidents not disclosed during underwriting. Betterment — the cost of upgrading systems beyond their pre-incident state — is also typically excluded. Resellers should help clients read the policy wording carefully and understand these exclusions before a claim situation arises.

The cyber insurance market has hardened significantly since 2020, driven by a surge in ransomware claims. Australian underwriters now use detailed security questionnaires — sometimes 100 or more questions — to assess an applicant's security posture before offering a quote. The days of checking a few boxes and getting coverage are over. Insurers want evidence, not just assertions, and some now require attestation from the applicant's IT provider or CISO. The following controls are near-universal requirements across major Australian cyber insurance underwriters.

MFA is the single most important control for cyber insurance qualification. Underwriters expect MFA to be enforced on all remote access (VPN, RDP, cloud applications), all email access (Microsoft 365, Google Workspace), all privileged and administrative accounts, and any internet-facing application. SMS-based MFA is generally accepted but considered weaker than authenticator apps or hardware tokens. Some underwriters specifically ask whether phishing-resistant MFA (FIDO2 security keys or passkeys) is deployed for administrative accounts. If your client does not have MFA universally deployed, this is the first remediation to prioritise — many insurers will decline to quote without it.

Traditional signature-based antivirus is no longer sufficient in the eyes of underwriters. They expect an EDR solution — such as CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, or Sophos Intercept X — deployed on all endpoints (workstations and servers) with active monitoring. EDR provides behavioural detection that catches threats signatures miss, and critically, it provides the forensic telemetry needed during incident response. Some insurers ask specifically whether the EDR solution is monitored by an internal SOC or a managed detection and response (MDR) provider — having unmonitored EDR is better than nothing but does not fully satisfy the requirement.

Ransomware is the dominant driver of cyber insurance claims, so underwriters scrutinise backup practices closely. They expect regular backups of all critical data and systems, at least one backup copy stored offline or in an immutable storage tier that ransomware cannot encrypt, tested recovery procedures documented and executed at least quarterly, and backup monitoring to ensure jobs complete successfully. The classic 3-2-1 backup rule (three copies, two different media types, one offsite) is a good starting framework, but underwriters increasingly look for 3-2-1-1 — the extra "1" being an air-gapped or immutable copy specifically designed to survive a ransomware event.

Insurers expect a documented patch management process with defined timelines: critical vulnerabilities patched within 48 hours to two weeks depending on severity, and all remaining patches applied within 30 days. Internet-facing systems (email gateways, VPN concentrators, web applications) receive the most scrutiny — an unpatched Exchange server or Fortinet VPN appliance is a red flag that can result in declined coverage. Regular vulnerability scanning, either through an internal tool or a managed service, demonstrates proactive identification of weaknesses. If your client has no patching process at all, insurers will either decline to quote or impose significant premium surcharges and coverage exclusions.

Cyber insurance premiums are influenced by several factors: the organisation's industry (healthcare, financial services, and retail face higher premiums due to the value of the data they hold), annual revenue (used as a proxy for exposure), the amount of personally identifiable information (PII) stored, claims history, and the maturity of the security controls in place. An organisation with MFA, EDR, tested backups, and a formal incident response plan will receive materially better pricing than one with minimal controls. Deductibles also play a role — accepting a higher deductible (retention) reduces the premium but increases the out-of-pocket cost in the event of a claim. For a typical Australian SMB with $10–50 million in revenue, expect premiums in the range of $5,000 to $30,000 annually for $1–5 million in coverage, though rates vary significantly by industry and insurer.

When a cyber incident occurs, the first call should be to the insurer's 24/7 incident response hotline — most policies require notification within 72 hours or less. The insurer will assign an incident response coordinator, typically from a panel law firm, who manages the response and engages approved forensic investigators, data breach notification specialists, and public relations firms as needed. Using the insurer's approved panel is usually required to ensure costs are covered; engaging your own vendors without prior approval can result in expenses being denied. Throughout the claims process, document everything meticulously — timeline of events, actions taken, costs incurred, and business impact. This documentation forms the basis of the claim and any subsequent regulatory reporting.

The Australian Cyber Security Centre's Essential Eight framework aligns closely with what insurers demand. Application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups — these eight mitigation strategies directly address the controls underwriters scrutinise. An organisation that achieves Essential Eight Maturity Level 2 or higher will find the insurance application process significantly smoother, as most questionnaire items map directly to Essential Eight controls. For resellers, positioning an Essential Eight assessment as a prerequisite to the insurance application creates a natural professional services engagement and identifies remediation work that must be completed before the client can qualify for coverage.

Not all insurance brokers understand cyber risk equally. Recommend that clients work with a broker who specialises in cyber insurance or has a dedicated cyber practice within their firm. A specialist broker will understand the nuances of policy wordings across different underwriters, know which insurers are appetite-matched for the client's industry and size, and advocate effectively during the claims process. In Australia, brokers like Marsh, Aon, Gallagher, and specialist firms such as Emergence Insurance and Brooklyn Underwriting have strong cyber insurance capabilities. The broker should also help the client understand the application questions and ensure responses are accurate — a good broker is a partner, not just a transaction processor.

Cyber insurance creates a powerful sales catalyst for resellers. When a client learns they cannot qualify for coverage without MFA, EDR, and tested backups, the conversation shifts from "do we need this?" to "how quickly can we get it done?" Position your services around an insurance-readiness assessment: evaluate the client's current controls against typical underwriting requirements, identify gaps, and propose a remediation roadmap with costed line items for MFA deployment, EDR rollout, backup upgrades, and patching services. Once the client qualifies for coverage, the ongoing managed services to maintain those controls become a natural recurring revenue stream — the insurer will re-evaluate controls at each renewal, so the client cannot afford to let their security posture slip.