Cyber insurance requirements — Australia

Cyber Insurance Requirements in Australia (and How to Meet Them)

Insurers no longer take your word for it. They require proof of specific controls before they cover you — and if a declared control wasn't really in place, they can cut or refuse the payout. Here's what they check, why claims fail, and how to know you'd pass.

Free PDFCover of the Vintaris briefing: When the Insurer Moves the Goalposts Download to read
Free briefingWhen the Insurer Moves the GoalpostsDownload →
1 in 5
Australian businesses wouldn't survive a major cyber attack
Every 6 min
a cybercrime is reported to the ASD's ACSC
Refused
claims get cut or denied when a declared control — often MFA — wasn't actually in place
The shift

Why the requirements tightened

Facing rising ransomware payouts, insurers moved from trusting what applicants declare to verifying it — sometimes by scanning you from the outside.

The result: you can pay premiums for years and still be refused, because your real security setup never matched what the policy assumed.

The baseline

The controls insurers now require

No single universal checklist, but this is the common baseline for cover in Australia. For each: is it fully in place — and could you prove it?

Multi-factor authentication

Email, remote access, cloud and every admin account — with proof.

Endpoint detection & response

Behaviour-based protection on every device, not signature AV.

Immutable, tested backups

Ransomware can't touch them — and you've tested the restore.

Email security & training

Filtering, SPF/DKIM/DMARC, and regular staff awareness training.

Patch & vulnerability mgmt

Critical updates applied promptly, internet-facing systems first.

Privileged access management

Admin rights restricted, reviewed and logged.

Incident response plan

Documented and tested — before you ever need it.

Payment-change verification

Second-channel check before any supplier or payroll bank change.

The catch:underwriters accept evidence, not "we think so." The gap between the two is where claims get refused.

Framework fit

How it maps to the Essential Eight

If you've started the ASD's Essential Eight you've done much of the technical work. ISO 27001 adds the governance layer underwriters also want.

Essential Eight Maturity Level 2 + documented governance covers most of what an underwriter asks for. If an insurer says "SOC 2," clarify what evidence they'll actually accept — documented E8 alignment is more achievable and locally recognised.

  • Multi-factor authenticationEssential Eight
  • Patching & updatesEssential Eight
  • Tested backupsEssential Eight
  • Restrict admin privilegesEssential Eight
  • Application controlEssential Eight
  • Incident response planningISO 27001
  • Staff security trainingISO 27001
  • Third-party / vendor riskISO 27001
Failure modes

Why claims get refused

Refused claims almost always trace to a control that was declared but not maintained.

Untested backups

A ransomware claim refused because backups were never test-restored.

MFA gaps

A breach claim refused because MFA wasn't enabled everywhere it was declared.

No tested recovery plan

A business-interruption claim refused because the plan was never exercised.

Ransomware

The rules that catch people out

Ransomware is the threat insurers worry about most — and the one with the most fine print.

Notify first

Most policies require you to notify the insurer and use their approved responders before acting.

Don't pay alone

Paying a ransom without insurer consent can void the payout entirely.

72-hour report

Businesses over $3M turnover must report a ransom payment to government within 72 hours (Cyber Security Act 2024).

Sanctions risk

Paying a sanctioned entity may breach Australian sanctions law regardless of cover.

The assessment

Could you satisfy an underwriter today?

A Vintaris cyber insurance risk assessment answers that in four steps — so a claim can't be refused on a technicality.

1

Map your posture

We assess your real controls against what insurers require and attackers exploit.

2

Find the gaps

Where 'we think so' and 'we can prove it' diverge — documented, with evidence.

3

Prioritised plan

A ranked, practical plan to close gaps before renewal — biggest risk first.

4

Renewal-ready

You can answer the questions, insure on good terms, and are genuinely more secure.

Cover of the Vintaris briefing: When the Insurer Moves the Goalposts
Free briefing

When the Insurer Moves the Goalposts

The framework decoder (SOC 2 vs Essential Eight vs ISO 27001) and a ten-minute readiness self-check, in plain English. Enter your details on the next page to download it.

Download the briefing →
FAQ

Frequently asked questions

What do Australian insurers require for cyber insurance?

Insurers commonly require multi-factor authentication, endpoint detection and response (EDR), immutable and tested backups, email security with staff training, timely patching, privileged access management, and a documented incident response plan. Requirements vary by insurer; there is no single universal checklist.

Why was my cyber insurance claim denied?

The most common reason is failure to maintain a control that was declared on the application — most often MFA. It is typically a control failure rather than a policy exclusion: the policy assumed a control that wasn't actually in place, so the loss falls outside what was underwritten.

Does Essential Eight compliance meet cyber insurance requirements?

The Essential Eight covers much of the technical side — MFA, patching, backups, restricting admin privileges — but not governance controls like incident response, staff training and third-party risk, which insurers also check. Essential Eight Maturity Level 2 plus documented governance addresses most requirements.

Is cyber insurance mandatory in Australia?

No law requires every business to hold cyber insurance, but some contracts, tenders, lenders and regulated industries require it — and insurers require certain security controls before they will offer cover.

How can I reduce my cyber insurance premium?

Documenting a security programme (such as Essential Eight alignment) and evidencing controls like MFA, tested backups and patching can reduce premiums meaningfully compared with businesses that cannot demonstrate the same.

Alexandra Gada

Security architect, Vintaris

Ex-CrowdStrike analyst and digital-forensics / incident-response specialist focused on security maturity for Australian mid-market businesses. Author of a research thesis on the Privacy Act and cybersecurity maturity models, and the reviewer behind Vintaris' cyber-insurance guidance.

  • GCFA — GIAC Certified Forensic Analyst
  • CrowdStrike Falcon: CCFA · CCFR · CCFH
  • Splunk
  • Okta
  • (ISC)²
  • Microsoft

This guide is general information and is not legal, financial or insurance advice. Insurer requirements, coverage and legal obligations vary by policy and circumstance and change over time. Confirm your specific position with your insurance broker and, where relevant, a qualified legal adviser. Vintaris provides cybersecurity assessment and advisory services and is not a licensed insurance or legal adviser.

Free Guide

1 in 5 businesses don't survive a major cyber attack.

And a cybercrime is reported in Australia every six minutes. The question isn't whether you'll be targeted. It's whether you'd survive it.

Download the free guide