All articles
Strategy · 3 Jul 2025 · 2 min read

Building resilience: cyber insurance trends down under

Cyber insurance in Australia has entered a new phase. As premiums climb and underwriters demand stronger controls, organisations have to align their security practices with policy requirements to secure coverage at sustainable rates. Increasingly, the controls that win a good premium are the same ones that genuinely reduce your risk.

What underwriters now expect

Recent market analysis shows insurers increasingly require evidence of:

  • Multi-factor authentication across all user and privileged accounts, including remote-access portals, ideally phishing-resistant.
  • Patch management with documented processes proving systems are updated within defined SLAs, for example critical patches within 14 days.
  • Incident response plans with formal playbooks, defined roles, communication flows and tested procedures, including at least annual tabletop exercises.
  • EDR and immutable backups, increasingly named explicitly, so a ransomware event can be contained and recovered without paying.

How to position for better terms

  • Pre-submission gap analysis. Review your posture against common insurer checklists and find the glaring omissions, missing SIEM coverage, incomplete asset inventories, before the questionnaire does.
  • Broker partnership. Engage a specialist cyber broker who knows the ANZ market. They can package your maturity narrative, pentest reports, Essential Eight status, ISO 27001 or SOC 2 work, to negotiate a better premium.
  • Continuous evidence. Use posture dashboards like Microsoft Secure Score and export regular snapshots to demonstrate ongoing improvement, not a point-in-time scramble.

Emerging policy traps to watch

  • War-and-terror exclusions. Some policies now carve out nation-state or geopolitical cyber events. Understand the gap and consider supplemental cover.
  • Silent cyber clauses. Underwriters increasingly stipulate that cyber exclusions apply across all peril lines (property, liability) unless explicitly declared. Make sure renewals explicitly include cyber cover.

Frame the premium inside broader resilience planning: "for an annual spend of $X, we transfer the residual risk beyond our control, freeing capital to invest in proactive security." That positions insurance as a strategic risk-management tool, not a compliance checkbox.

The fastest way to a stronger insurance position is to close the control gaps first. That is what a cyber health check delivers, and it maps directly to the Essential Eight controls underwriters now ask about, backed by endpoint security and immutable Veeam backups.

Could you answer your insurer's questionnaire with evidence?