Skip to main content
Insights · Cyber Insurance

Cyber insurance in
Australia: what
underwriters actually
check.

Forty percent of Australian cyber insurance claims were denied in 2024. The leading cause was not policy exclusions or fine print. It was failure to maintain the controls declared on the application, particularly multi-factor authentication. Underwriters have moved from trusting self-attestation to verifying controls through third-party telemetry and external scanning. If your application says you have MFA everywhere and you don't, your policy may be worthless when you need it most.

This guide maps the specific controls Australian cyber insurers assess to the Essential Eight and ISO 27001 frameworks most Australian organisations are already implementing. If you're doing the compliance work, you're doing most of the insurance work too. You just need to present it correctly.

Book Lighthouse Assessment → Cybersecurity Audit
CC
Cliffside Cybersecurity ISO 27001 Lead Auditor · CISSP · Sydney · Est. 2014
On this page
01 / The market reality

Australian cyber insurance is growing fast, but most businesses still don't have it.

The Australian cyber insurance market reached AUD 467 million in 2025 and is projected to nearly quadruple to USD 1.99 billion by 2034, according to IMARC Group market research. Yet adoption remains low. SwissRe data shows only 10 to 20 percent of SMEs (under $100 million revenue) carry cyber insurance, compared to 40 to 50 percent of mid-market firms.

The gap matters because the cost of incidents is rising. The ACSC Annual Cyber Threat Report 2024-25 recorded 84,700 cybercrime reports, one every six minutes, with average costs of $56,600 for small businesses (up 14 percent year on year) and $202,691 for large organisations.

40%
of claims denied in 2024
37%
of denials due to MFA failures
60%
of claims from BEC and funds transfer fraud
$292K
average ransomware loss

Meanwhile, premiums are expected to rise. After two years of softening rates, S&P Global forecasts a 15 to 20 percent premium increase in 2026. Organisations with strong security postures will be better positioned to negotiate favourable terms.

02 / What underwriters check

The ten controls insurers assess before quoting.

Australian cyber insurers have converged on a core set of controls they assess during underwriting. These are not optional recommendations; they are the controls that determine whether you get quoted, what premium you pay, and whether a claim gets honoured. AIG's CyberEdge ransomware supplementary form is a good example of the level of detail insurers now expect.

Control
What insurers ask
Essential Eight / ISO 27001 mapping
MFA
MFA enforced on email, remote/VPN access, privileged accounts, cloud services, and backup systems. Coverage percentage and exception count.
E8: Multi-Factor Authentication strategy. ISO 27001: A.8.5 Secure authentication.
EDR
Endpoint detection and response (not just antivirus) deployed on all servers, workstations, laptops, and remote devices.
E8: Supports multiple strategies. ISO 27001: A.8.7 Protection against malware.
Backups
Immutable or offline backups, tested regularly. Coalition data shows 94% of ransomware victims had their backups targeted.
E8: Regular Backups strategy. ISO 27001: A.8.13 Information backup.
Incident response
Documented incident response plan, tested within the last 12 months. Insurers ask when it was last exercised.
E8: Not covered. ISO 27001: A.5.24-A.5.28 Incident management.
Patching
Patch management programme with defined cadence and prioritisation for critical vulnerabilities.
E8: Patch Applications + Patch Operating Systems (48 hours at ML2). ISO 27001: A.8.8 Technical vulnerabilities.
Awareness training
Employee security awareness training programme with phishing simulations. Frequency and results matter.
E8: Not directly covered. ISO 27001: A.6.3 Information security awareness. Cliffside awareness services.
Privileged access
Employees lack local admin by default. Separate privileged credentials for sysadmins. MFA on domain admin accounts. Just-in-time access where possible.
E8: Restrict Administrative Privileges. ISO 27001: A.8.2 Privileged access rights.
Network segmentation
Network segmented by business function with deny-by-default between segments.
E8: Not directly covered. ISO 27001: A.8.22 Segregation of networks. Architecture review.
Email authentication
SPF, DKIM, and DMARC configured and enforced. Given 60% of claims originate from BEC, this is heavily weighted.
E8: Not directly covered. ISO 27001: A.8.23 Web filtering (related).
RDP controls
Host firewall rules prevent RDP logon to workstations. Service accounts deny interactive logons.
E8: User Application Hardening (related). ISO 27001: A.8.20 Network security.

The pattern is clear: the controls insurers check map almost exactly to the Essential Eight strategies plus incident response and network segmentation from ISO 27001. If you are implementing either framework, you are already doing most of what insurers require.

03 / When claims get denied

Misrepresentation is the fastest way to void your policy.

The Travelers v International Control Services case is the clearest warning. ICS declared on its application that it used MFA for email, remote access, and all endpoints. When a ransomware attack hit in 2022, Travelers investigated and found MFA was only configured on the firewall. Servers, the actual target of the attack, had no MFA at all. Travelers successfully rescinded the entire policy. No coverage for past, present, or future claims.

This was not a technicality. The court found that the misrepresentation was material to the underwriting decision. Had ICS disclosed the true state of its MFA coverage, the policy would not have been issued on those terms.

The practical lesson: Do not overstate your controls on the application. If you have MFA on email but not on privileged accounts, say so. If your backups exist but have never been tested, say so. An honest application with gaps is manageable. A dishonest application that later proves false can void your entire policy, exactly when you need it most.

Insurers are also moving beyond self-attestation. Major Australian underwriters now use third-party telemetry and external scanning to validate application responses before quoting. They assess external internet traffic patterns, patching levels, and exposure to insecure services. If your application says you patch within 48 hours but your external scan shows unpatched vulnerabilities from six months ago, the discrepancy will surface.

04 / The compliance advantage

Essential Eight and ISO 27001 do most of the insurance work for you.

Organisations that have invested in Essential Eight maturity or ISO 27001 certification already have the evidence base insurers are looking for. The challenge is presenting it in the format underwriters expect.

Essential Eight gives you the technical controls. Six of the eight strategies map directly to underwriting requirements: patching (two strategies), MFA, backups, administrative privilege restriction, and application control. An organisation at Essential Eight ML2 has already implemented the core technical controls most insurers assess.

ISO 27001 gives you the governance controls. Incident response planning, network segmentation, security awareness training, and supplier management are all ISO 27001 Annex A controls that Essential Eight does not cover but insurers require. An ISO 27001 certified organisation can often present its certification in lieu of completing extensive security questionnaires.

Together, they cover almost everything. The only underwriting requirement not directly addressed by either framework is email authentication (SPF, DKIM, DMARC), which is a straightforward configuration exercise. If you have Essential Eight ML2 plus ISO 27001 certification, you have addressed nine of the ten controls insurers check. For a deeper comparison of how these frameworks work together, see our guide to ISO 27001 vs Essential Eight.

05 / Regulatory changes that affect your coverage

New laws change what insurance needs to cover.

The Cyber Security Act 2024 introduced mandatory ransomware payment reporting from 30 May 2025. Organisations with annual turnover exceeding $3 million and SOCI-regulated entities must report any ransomware payment to the Department of Home Affairs within 72 hours, including the amount paid, third-party negotiator involvement, and attacker communications. Failure to report carries penalties of up to $19,000.

This changes the insurance equation in two ways. First, ransomware payments are now visible to government, which may influence future regulatory action. Second, the reporting obligation means organisations need documented processes for payment decisions, something your insurer and their incident response panel will expect to be involved in.

Other regulatory developments affecting cyber insurance include:

  • APRA CPS 230 (effective July 2025) introduces enhanced operational resilience requirements for all APRA-regulated entities, including banks, insurers, and super funds.
  • Privacy Act reforms introduced a statutory tort for serious invasions of privacy (commenced June 2025), with expanded OAIC investigation powers and new civil and criminal penalties.
  • SOCI Act expansions brought data storage systems holding business-critical data within scope, with new Ministerial powers to direct entities post-incident.
  • Lloyd's cyber war exclusions (effective since March 2023) require all syndicate policies to exclude state-backed cyberattacks. While not directly binding on Australian domestic insurers, the guidance is increasingly adopted across the Australian market.
06 / What to do before your next renewal

A practical checklist for your next application.

Whether you are applying for cyber insurance for the first time or approaching renewal, these steps will improve your terms and reduce the risk of claim denial.

  • Audit your MFA coverage honestly. Map every system and access path. If MFA is not enforced on privileged accounts, remote access, email, and cloud services, fix it before the application. Do not declare coverage you do not have.
  • Test your backups. Confirm that backups are immutable or offline, that restoration has been tested within the last quarter, and that you can recover within your stated timeframes. Document the test results.
  • Review your incident response plan. If it has not been tested through a tabletop exercise in the last 12 months, conduct one before renewal. Insurers ask when it was last exercised.
  • Document your patch management cadence. Show evidence that critical vulnerabilities are addressed within 48 hours and that you have visibility of your patching compliance rate.
  • Configure email authentication. SPF, DKIM, and DMARC should be configured and enforced. Given that 60 percent of claims originate from BEC and funds transfer fraud, this control carries significant underwriting weight.
  • Engage your broker early. Share your Essential Eight maturity assessment or ISO 27001 certificate with your broker before the application. This evidence can materially improve the terms they negotiate.
  • Get a baseline assessment. If you are unsure where your controls stand, a Lighthouse Assessment gives you an honest picture of your current posture against both underwriting requirements and compliance frameworks.
07 / Cliffside perspective

Insurance is not a substitute for security. It is a consequence of it.

Cyber insurance works best when it is the last line of defence, not the first. Organisations that invest in genuine security controls, evidenced through frameworks like Essential Eight and ISO 27001, get better coverage at lower premiums. Organisations that treat insurance as a substitute for security get denied claims and rescinded policies.

Cliffside helps organisations build the security posture that makes insurance work. We deliver Essential Eight assessments to Maturity Level 3, ISO 27001 certification support from gap analysis through to surveillance, penetration testing, and cybersecurity audits that produce the evidence both regulators and insurers expect to see. We are ISO 27001 certified ourselves.

Frequently asked questions.

What controls do Australian cyber insurers require?
At minimum, insurers assess MFA on email, remote access, and privileged accounts; endpoint detection and response (EDR) on all devices; immutable or offline backups tested regularly; a documented and tested incident response plan; a patch management programme with defined timeframes for critical vulnerabilities; employee security awareness training; privileged access management; and network segmentation. Larger policies may also require email authentication (SPF, DKIM, DMARC) and third-party security assessments.
How much does cyber insurance cost in Australia?
Premiums vary by industry, revenue, and security maturity. Basic coverage for an SME starts from approximately $1,000 to $1,500 per year. Mid-market organisations typically pay $5,000 to $50,000+ depending on coverage limits, which typically range from $1 million to $20 million per occurrence. Organisations with documented Essential Eight or ISO 27001 controls typically pay 20 to 40 percent less than equivalent organisations without a documented security programme.
Can a cyber insurance claim be denied?
Yes. Approximately 40% of cyber insurance claims were denied in 2024. The most common reason is failure to maintain controls that were represented on the application, particularly MFA, which accounts for 37% of denied claims. In the Travelers v International Control Services case, the insurer successfully rescinded the entire policy after the policyholder misrepresented its MFA coverage on the application. The lesson is clear: do not overstate your controls on the application, and maintain evidence that what you declared remains true.
Does Essential Eight compliance reduce cyber insurance premiums?
In practice, yes. The controls Australian underwriters assess map closely to the Essential Eight strategies: patching, MFA, backups, application control, and privileged access management. Organisations that can evidence maturity across these controls report premium reductions of 20 to 40 percent compared to organisations with no documented programme. Essential Eight also simplifies the application process because you already have the evidence insurers are asking for.
Is cyber insurance mandatory in Australia?
Cyber insurance is not legally mandatory for any Australian organisation. However, it is increasingly a practical requirement. Enterprise clients and government procurement often require evidence of cyber insurance. APRA-regulated entities are expected to have adequate insurance coverage as part of their risk management framework under CPS 220. And the Cyber Security Act 2024 mandatory ransomware payment reporting obligations create additional exposure that insurance helps manage.

Related insights

Deeper reading on this topic.

ISO 27001 vs Essential Eight

Which framework should your organisation pursue first? A practical decision framework for Australian businesses.

Explore →
Cyber Security Act 2024

What the new mandatory ransomware reporting and security standards mean for Australian organisations.

Explore →
Insurance Cybersecurity Defensibility

For insurance companies: why defensibility beats compliance under APRA CPS 234.

Explore →
Essential Cybersecurity Assessments

Which assessments matter, how to sequence them, and how to align with real business risk.

Explore →

Know where you stand
before your next renewal.

A Lighthouse Assessment maps your controls against both underwriting requirements and compliance frameworks. You'll know exactly what to declare on your application and where the gaps are.

Book Lighthouse Assessment →Cybersecurity audit services

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment