If you've applied for or renewed a cyber insurance policy recently, you've probably noticed the forms are getting longer and the questions are getting harder. That's not a coincidence.
Australian cyber insurers have been hit hard by a surge in claims, and they're responding by tightening requirements. Understanding what they're looking for, and how it connects to the Essential Eight, can save you money, time, and a lot of stress.
Why Insurers Care About the Essential Eight
Insurers care about the same thing you do: reducing the chance of an incident. The Essential Eight isn't just government advice. It's a practical, evidence-based framework that directly addresses the most common attack vectors. When an insurer asks about your controls, they're essentially asking: "Have you done the basics?"
Businesses with strong baseline controls are less likely to make claims, and insurers price their policies accordingly. Some insurers offer discounts for demonstrable Essential Eight maturity. Others won't offer coverage without it.
What Insurers Typically Ask About
While every insurer's form is different, the questions cluster around the same themes, all of which map directly to Essential Eight strategies:
Multi-Factor Authentication
"Is MFA enabled on all remote access, email, and privileged accounts?" This is often a hard requirement. If you answer no, you may be declined outright. MFA is the single most asked-about control on Australian cyber insurance applications.
Patching and Updates
"Do you have a patch management process? How quickly are critical patches applied?" Insurers want to know that you're not running outdated, vulnerable software. They may ask specifically about internet-facing systems.
Backups
"Are backups performed regularly? Are they stored separately from your main network? Have you tested restores?" Backups are your last line of defence against ransomware, and insurers know it. They want evidence, not assurance.
Access Controls
"Who has administrative access? How is it managed?" Excessive admin privileges are a major risk factor. Insurers increasingly ask about the principle of least privilege and whether admin accounts are separated from daily-use accounts.
Endpoint Protection
"Do you use endpoint detection and response (EDR) or antivirus on all devices?" While not directly an Essential Eight strategy, this question often comes alongside application control and user application hardening questions.
How a Self-Assessment Helps
A self-assessment won't satisfy an insurer on its own. They require independently verified evidence for claims. But it does two critical things:
- It helps you answer the application honestly. You'll know what's actually in place, not what you assume is in place.
- It identifies gaps before you apply, so you can fix them and get a better policy at a better price.
Never misrepresent your security posture on an insurance application. If you claim to have MFA everywhere and you don't, your claim can be denied when an incident occurs. Honesty is both the legal and the practical choice.
What to Do Before Your Next Renewal
- Run a self-assessment to understand your current posture across all 8 strategies.
- Focus on MFA, patching, and backups. These are the three controls insurers care about most.
- Document what you've implemented. Screenshots, configuration exports, and provider confirmations all count.
- Ask your IT provider for a written summary of your security controls.
- Keep records of when controls were implemented and when they were last reviewed.
The Bottom Line
Cyber insurance is not a substitute for cybersecurity, and cybersecurity is not a substitute for insurance. You need both. But the better your security posture, the better your insurance terms, and the less likely you are to need to make a claim in the first place.
Start with a free self-assessment to understand where you stand, close the gaps that matter most, and walk into your next insurance conversation with confidence.