Cyber insurance has gone from a nice-to-have to a near-essential for Australian businesses — but qualifying for it, and keeping a policy valid, has become considerably harder. After years of heavy payouts, insurers have tightened their requirements dramatically. Today's application is a detailed security questionnaire, and the way you answer it has consequences that go well beyond your premium.
Why Insurers Got Strict
A wave of ransomware and business email compromise claims taught insurers that many businesses were carrying far more risk than their premiums reflected. The response was predictable: rather than simply raising prices, insurers now require applicants to demonstrate baseline security controls before they'll offer cover at all. In effect, the questionnaire has become a security audit.
What Insurers Now Ask
While wording varies between insurers, the questions cluster around a recognisable set of controls. Expect to be asked whether you enforce multi-factor authentication on email, remote access and administrative accounts. Expect questions about how quickly you patch operating systems and applications, how you back up your data and whether those backups are tested and kept offline or immutable. Expect questions about who holds administrative privileges, what endpoint protection you run, and whether staff receive security awareness training.
If those controls sound familiar, it's because they map closely to the Australian Signals Directorate's Essential Eight. Insurers have effectively adopted a similar baseline as their entry requirement.
The Critical Risk: Inaccurate Answers
Here's the part that catches businesses out. The questionnaire forms part of your contract with the insurer. If you answer "yes, we enforce MFA everywhere" to secure a policy, and a breach later reveals that MFA wasn't actually in place, the insurer can decline the claim — leaving you with both the breach costs and no cover. The questionnaire is not a formality; it's a set of warranties you're making.
This means the goal isn't to answer favourably. It's to answer accurately and favourably — which requires actually implementing the controls before you sign.
How to Become Genuinely Ready
Getting cyber insurance ready is a practical exercise. Start by honestly assessing your current controls against what insurers ask, which surfaces the gaps. The highest-impact fixes are usually enforcing MFA across the board and removing unnecessary administrative privileges, followed by tightening your patching cadence and verifying that backups are tested and ransomware-resilient.
Just as important is the evidence. Insurers — and increasingly, larger clients running vendor security reviews — want documentation, not assurances. Reporting that demonstrates your patch cadence, MFA enforcement and backup testing turns a stressful questionnaire into a straightforward one.
The Wider Benefit
The effort isn't wasted on insurance alone. The same controls that satisfy an insurer genuinely reduce your risk of a breach in the first place, and the same evidence answers the security questionnaires that clients and tenders now require. Becoming insurance-ready is, in practice, becoming more secure.
If your renewal is approaching, or you've been handed a questionnaire you're not sure how to answer truthfully, [book a free IT review](/book-review). We'll benchmark your current posture, close the gaps that matter, and make sure your answers stand up.