Back to blogCybersecurity

Cyber Insurance IT Requirements: What Insurers Expect

6 min read

Cyber insurance is no longer optional for most Australian businesses. Clients require it. Industry bodies recommend it. And the cost of a breach without coverage can shut a small business down entirely.

But getting a policy is only half the battle. The harder part is making sure your claim gets paid when you need it.

Insurers are getting smarter. They are asking more detailed questions about your IT controls during the application process, and they are using those answers to deny claims after an incident. If you said you had multi-factor authentication enabled but it was only turned on for some accounts, your claim may be rejected.

Here is what insurers actually look for, and what you need to have in place before you sign that policy.

Why claims get denied

The most common reason cyber insurance claims are denied is a gap between what the business said on the application and what was actually in place at the time of the incident.

This is not always deliberate. Often the person filling in the application form does not fully understand the questions, or they give an optimistic answer based on what they think is in place rather than what they can prove.

Insurers investigate claims. They bring in forensic teams. If the investigation reveals that a security control was missing or misconfigured, and that control was listed as "in place" on the application, the insurer has grounds to deny the claim.

The takeaway: never overstate your security posture on an insurance application. It is better to be honest, fix the gaps, and reapply than to have a claim denied when your business is already in crisis.

Multi-factor authentication

MFA is the first thing every insurer asks about. It is non-negotiable. If you do not have MFA enabled on all user accounts, most insurers will not even offer you a policy.

But "we have MFA" is not enough. Insurers want to know:

  • Is MFA enforced for all users, including administrators?
  • Does MFA cover remote access, email, and cloud applications?
  • Is MFA required for VPN connections?
  • Are there any accounts that bypass MFA?

If the answer to any of these is no, you have a gap. One unprotected admin account is enough for an insurer to deny a claim.

Endpoint protection

Antivirus is not enough anymore. Insurers expect endpoint detection and response (EDR) on all devices. EDR goes beyond traditional antivirus by monitoring behaviour, detecting anomalies, and responding to threats in real time.

Your insurer will want to know:

  • Is EDR deployed on all endpoints, including laptops, desktops, and servers?
  • Is it centrally managed and monitored?
  • Are alerts being reviewed and acted on?
  • Is the software kept up to date?

Having EDR installed but nobody monitoring the alerts is almost as bad as not having it at all. Insurers understand this and will ask about your monitoring process.

Backup and recovery

Ransomware is the most common claim type. Insurers want to know that you can recover without paying the ransom. That means backups, and not just any backups.

The requirements typically include:

  • Regular backups: Daily at minimum. Hourly for critical systems.
  • Offline or immutable copies: Backups that cannot be encrypted or deleted by ransomware. This usually means air-gapped storage or immutable cloud backups.
  • Tested restores: Can you actually restore from your backups? When was the last time you tested? Insurers increasingly ask for evidence of restore testing.
  • Defined recovery time: How long does it take to restore operations? Do you have a documented recovery plan?

If your backups are sitting on a network drive that is accessible from any workstation, they are vulnerable to the same ransomware attack that takes out everything else. Insurers know this.

Patch management

Unpatched systems are one of the most common entry points for attackers. Insurers expect a documented patch management process that covers:

  • Operating system updates applied within a defined timeframe (typically 14 days for critical patches)
  • Application patches for key software like browsers, PDF readers, and Office
  • Firmware updates for network equipment
  • A process for identifying and tracking which systems need patching

"We have automatic updates turned on" is a start, but it is not a complete answer. Automatic updates do not cover every application, and they can fail silently. A proper patch management process verifies that patches are actually applied.

Security awareness training

People are the most common entry point for cyber attacks. Phishing emails, social engineering, and credential theft all target humans, not systems. Insurers now expect regular security awareness training for all staff.

This typically includes:

  • Annual training at minimum, with quarterly refreshers preferred
  • Simulated phishing exercises to test whether training is working
  • Records showing who completed training and when
  • Training for new starters as part of onboarding

A one-off training session from three years ago will not satisfy a modern insurer. They want to see an ongoing program with measurable results.

Incident response plan

Having a plan for what to do when something goes wrong is increasingly a requirement, not just a nice-to-have. Your incident response plan should cover:

  • Who to contact (internal and external)
  • How to contain the incident
  • How to communicate with affected parties
  • How to preserve evidence for investigation
  • Recovery procedures
  • Post-incident review process

Insurers want to see that this plan exists, that relevant staff know about it, and that it has been tested or reviewed within the last 12 months.

How Essential Eight alignment helps

If the list above looks familiar, it should. The controls insurers require map closely to the Australian Signals Directorate's Essential Eight framework. Achieving Maturity Level Two of the Essential Eight satisfies most of the technical requirements insurers look for.

This is not a coincidence. The Essential Eight was designed to address the most common attack vectors, and those are the same attack vectors that generate the most insurance claims.

Aligning your IT controls to the Essential Eight does double duty: it reduces your actual risk of a breach, and it gives you a strong foundation for cyber insurance compliance.

What to do next

If your business has cyber insurance, or is applying for it, start with an honest assessment of where you stand against the requirements listed above. Do not guess. Verify.

Check your MFA configuration. Confirm your EDR is deployed and monitored. Test your backups. Review your patch management process. Make sure your staff have completed training in the last 12 months.

Not sure if your IT meets your insurer's requirements? Our free IT health check includes a cyber readiness assessment. We will map your current controls against what insurers expect and show you exactly where the gaps are. No obligation.

Learn more about our cybersecurity services

Need help with cybersecurity?

Our free IT health check will show you exactly where your business stands and what to prioritise. No obligation.

Book your free health check

Get IT insights in your inbox

Practical tips for Australian businesses. No spam. Unsubscribe anytime.

More from the blog

Cybersecurity

Remote Work Security for Business: Protect Without Frustrating Your Team

Practical security tips for Australian businesses with remote or hybrid workers. Protect your data without frustrating your team.

Microsoft 365

Microsoft 365 Security Checklist for Small Business

20 Microsoft 365 security settings every small business should configure. Grouped by difficulty: do today, this week, and get expert help.