Cyber Insurance Checklist for Australian Businesses
The controls Australian insurers check before they quote — mapped across the five underwriting domains that Coalition, Chubb, Beazley, and AIG use. Work through this list before your next application or renewal.
How to use this checklist
Work through each domain. For items you haven't implemented, estimate the effort to fix them and prioritise based on insurer impact. Items marked as non-negotiable should be addressed before you apply — missing these will result in a declined application or significantly worse terms. Run our free 20-question assessment to get a scored readiness report across all five domains that you can share directly with your broker.
The Underwriting Checklist
Identity & Access Management
This is the single most common reason for a declined application. Must be on all accounts — not just admin.
RDP without MFA is the leading ransomware entry point. Insurers will ask about this specifically.
AWS, Azure, and any SaaS platform used by admin staff.
Admin accounts should not be used for email and browsing — privileged access management.
Review all admin accounts and remove unnecessary privileges.
Required by some insurers at higher coverage levels. ACSC Essential Eight ML2+ from Oct 2024.
Backup & Recovery
Daily backups of all data required to run the business — not just servers.
Backups connected to the same network can be encrypted by ransomware. Offline, immutable, or cloud with separate credentials.
Insurers are increasingly asking the date of last successful restore test. "We have backups" is no longer sufficient.
Know how long it will take to recover from a complete loss. This affects your business interruption coverage.
If an attacker compromises your admin account, can they also delete your backups?
Email Security
Prevents attackers from spoofing your email domain. Asked about in most underwriting questionnaires.
Email authentication records that work alongside DMARC. Must be correctly configured for DMARC to work.
Microsoft Defender for Office 365 or equivalent. Basic spam filtering is not sufficient.
Not always required, but positively viewed during underwriting and reduces premium in some policies.
Endpoint Protection & Patching
CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or equivalent. Basic antivirus is not sufficient above $500K coverage.
Timelines: 48 hours for critical internet-facing vulnerabilities; 14 days for critical workstation vulnerabilities.
Particularly browser, Office, and any other internet-facing applications.
Windows XP, Windows 7, and end-of-life systems are a common underwriting exclusion.
Required by some insurers for server coverage. Prevents unapproved software from executing.
Incident Response
Defines what to do in the first 24 hours of a breach. Who to call, who decides, how to contain, how to notify. Does not need to be elaborate.
You must notify your insurer promptly after discovering an incident. Know who to call before it happens.
A tabletop exercise counts. Walk through a simulated ransomware scenario with key staff to identify gaps in the plan.
Under the Privacy Act NDB scheme, you may need to notify the OAIC and affected individuals within 30 days of discovering an eligible breach.
A record of past incidents — including minor ones — demonstrates a proactive security culture and is valued during underwriting.
Priority key
How Long Does It Take to Fix the Gaps?
Most readiness gaps can be closed within 4–8 weeks by an IT provider who knows what they're doing. Here are realistic timelines for the most common fixes.
Get a scored readiness report you can share with your broker
20 questions. Free score. The $99 readiness report maps your gaps to insurer requirements — in language your broker can use directly in the application.
No account required
Frequently Asked Questions
What do cyber insurers check during underwriting?
Australian cyber insurers check five main areas: Identity and Access (MFA on email, remote access, and privileged accounts), Backup and Recovery (isolated, tested backups), Email Security (DMARC, DKIM, SPF, anti-phishing), Endpoint Protection (EDR or advanced antivirus), and Incident Response (a documented plan). The non-negotiable items are MFA and tested backups.
Can I fail cyber insurance underwriting?
Yes. Insurers can decline to quote, add premium loadings, or exclude specific risks. Missing MFA on email is the most common reason for a declined application or significant premium increase. Missing tested and isolated backups is the second most common issue, particularly for ransomware coverage.
How long does it take to fix cyber insurance readiness gaps?
Timelines vary. MFA on email can be enabled in a day. EDR deployment takes 1–2 weeks for most SMBs. Isolated backup setup takes 1–4 weeks. An incident response plan can be documented in a day using a template. Total time from gaps identified to renewal-ready is typically 4–8 weeks.
Should I use a broker for cyber insurance in Australia?
Yes — using a specialist cyber insurance broker typically gets you better terms than going direct. Brokers who specialise in cyber understand how to position your security controls and which insurer is best suited to your profile. Aon and Lockton are the two largest specialist cyber insurance brokers active in the Australian SMB market.
Do I need to disclose past cyber incidents?
Yes. All cyber insurance applications ask about known or suspected past incidents. Failing to disclose a known incident is misrepresentation and can void your policy. Disclose honestly — insurers factor past incidents into pricing, but undisclosed incidents can result in a claim denial at the worst possible time.
Know your gaps before your broker does
Free 20-question readiness assessment mapped to real insurer underwriting requirements. Instant score, no account required.
Check your readiness — freeFull readiness report with broker-ready language for $99