Two years ago, getting cyber insurance in Australia was mostly a paperwork exercise. You filled out a questionnaire, ticked some boxes, and a policy arrived. Those days are over.
Insurers have paid out billions globally on ransomware claims, business email compromise incidents, and data breaches — many of which could have been prevented with basic security controls. The result is a fundamental shift in how underwriting works. In 2026, cyber insurance isn't something you buy — it's something you qualify for.
The good news is that the Australian cyber insurance market is softening after several years of rising premiums. Rates in the Pacific region fell approximately 10% during 2025, and more capacity is entering the market. But that doesn't mean it's getting easier to qualify. Insurers are still demanding proof of real security controls. They're just competing more on price for businesses that can demonstrate maturity.
What underwriters are actually looking for
When an underwriter reviews your application, they're answering one core question: how likely is this business to suffer a major cyber incident, and how well-prepared are they to handle it? To answer that, they consistently evaluate five areas.
1. Multi-factor authentication. This is non-negotiable. Over half of businesses must have MFA deployed just to qualify for coverage. Underwriters specifically look for MFA on remote access (VPN, RDP), email accounts (Microsoft 365, Google Workspace), and all privileged or admin accounts. Saying "we have MFA available" isn't enough — they want to know it's enforced and mandatory, not optional for users to enable.
2. Endpoint detection and response (EDR). Traditional antivirus is no longer sufficient. Insurers want to see active EDR on all endpoints — laptops, desktops, and servers. They want to know the platform (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), whether it's monitored, and whether alerts are being responded to. Some carriers require EDR as a condition of coverage.
3. Backup and recovery. Insurers know that a good backup can prevent a ransomware payout entirely. They ask how frequently you back up, whether backups are stored offline or in an immutable format, and critically, whether you've tested restoring from backup. Documented restore testing is becoming a standard underwriting requirement — if you can't prove your backups work, insurers treat them as if they don't exist.
4. Patching and vulnerability management. Unpatched systems are a leading cause of claims. Underwriters ask whether you apply critical patches within a defined timeframe (typically 14-30 days), whether you have automated patch management, and whether you have a process for identifying and addressing vulnerabilities. The presence of end-of-life, unsupported software in your environment is a significant red flag.
5. Employee security training. Human error accounted for 37% of data breach notifications to the Office of the Australian Information Commissioner (OAIC) in the first half of 2025. Insurers know that phishing is the entry point for most breaches, so they look for regular security awareness training and simulated phishing campaigns. Not having a training program can result in higher premiums or reduced coverage for social engineering losses.
What gets your application rejected
Based on what we're seeing in the market, here are the most common reasons Australian businesses are being denied coverage or facing significant premium increases:
- No MFA on email or remote access. This is the single most common disqualifier. If your Microsoft 365 tenant doesn't have MFA enforced, most insurers won't even quote.
- End-of-life operating systems. Running Windows Server 2012 or older in production signals to an underwriter that you have known, unpatched vulnerabilities in your environment.
- No EDR or managed antivirus. Basic consumer antivirus doesn't meet the bar anymore. Insurers want enterprise-grade endpoint protection with active monitoring.
- No backup testing evidence. Having a backup solution is expected. Having proof that you've tested restoration is what separates approved applications from rejected ones.
- No incident response plan. Underwriters increasingly want to see a documented plan for what happens when a breach occurs — who to call, what to do in the first few hours, and how to contain the damage.
Coverage exclusions to watch for
Even if you're approved for a policy, read the exclusions carefully. A growing trend in 2026 is coverage exclusion for preventable incidents. Insurers are increasingly refusing to cover incidents that could have been prevented with basic controls. Your policy might specifically exclude ransomware losses if MFA wasn't enabled, data breach costs if unpatched systems were the entry point, or business interruption if backups weren't maintained.
This means that doing "just enough" to get a policy doesn't guarantee you're actually protected. If an incident occurs and the insurer's investigation reveals that the controls you attested to weren't actually in place, your claim can be denied.
How to prepare before renewal
The worst time to discover you don't meet insurer requirements is during your renewal process. Here's what we recommend doing well before your policy comes up:
Audit your MFA coverage. Log into your Entra ID admin centre and check what percentage of users have MFA enforced (not just registered — enforced). Check admin accounts specifically. If it's not 100%, fix it before renewal.
Document your patching process. Can you show an underwriter your average patch deployment time? Can you prove that critical patches are applied within 14 days? If not, implement automated patch management and start collecting the evidence.
Test your backups and document it. Run a restoration test, screenshot the results, and save it. Do this quarterly. It takes an hour and it's the easiest underwriting box to tick.
Deploy EDR if you haven't already. If you're still running basic antivirus, upgrade to a proper EDR platform. Microsoft Defender for Endpoint is included in M365 E5 and Business Premium — you might already be paying for it.
Start a security awareness program. Even a basic annual training session with quarterly phishing simulations is enough to satisfy most underwriters. It's also one of the most cost-effective security investments you can make.
Get a readiness assessment. Have someone independent review your environment against common insurer requirements before you fill out that renewal questionnaire. It's much better to find the gaps yourself than to have the underwriter find them for you.
The bigger picture
The Australian cyber insurance market is forecast to grow from around $467 million in 2025 to nearly $2 billion by 2034. That growth reflects both the increasing frequency of cyber incidents and the reality that insurance is becoming a standard business requirement — not just for large enterprises, but for SMBs as well.
The businesses that will benefit most from this expanding market are the ones that treat cybersecurity as an ongoing practice rather than an annual checkbox. Insurers reward maturity. Businesses that can demonstrate real, operational security controls consistently receive lower premiums, broader coverage, and fewer exclusions.
The message is clear: cybersecurity and cyber insurance are no longer separate conversations. Your security posture is your insurance posture.