A business owner I know tried to get cyber insurance last month. They were shocked when the insurer asked for documentation of MFA implementation, backup procedures, and incident response plans. They’d assumed cyber insurance was like buying car insurance—fill out a form, pay the premium, you’re covered.

Turns out cyber insurance in 2026 is nothing like that. Insurers have gotten serious about security requirements because they got burned on ransomware claims. If you can’t demonstrate basic security hygiene, you either won’t get coverage or you’ll pay premium rates.

Here’s what Australian small businesses actually need to have in place to get cyber insurance at reasonable rates.

Why Insurers Care About Your Security Posture

Five years ago, cyber insurance underwriting was pretty loose. They’d ask some general questions, maybe check if you had antivirus, and issue a policy.

Then ransomware losses skyrocketed. Insurers paid out massive claims. They realised that businesses with poor security were getting hit repeatedly, and covering them was unprofitable.

So they tightened underwriting. Now they want evidence that you’re not an easy target. If you don’t meet baseline security requirements, you’re either uninsurable or you’re paying dramatically higher premiums.

This is actually good for the market. It creates incentives for better security. But it means getting covered requires work.

The Non-Negotiable Requirements

These are the things pretty much every cyber insurer will require for SMB coverage in 2026:

Multi-factor authentication on all critical systems. This is the big one. If you don’t have MFA on email, cloud services, financial systems, and admin accounts, many insurers won’t cover you at all.

They’ve seen too many ransomware attacks that started with compromised credentials. MFA stops most of those. No MFA? You’re a risk they don’t want.

SMS-based MFA is getting pushback too—some insurers want app-based or hardware token MFA for admin accounts. But any MFA is better than none.

Endpoint protection. Modern antivirus/EDR (endpoint detection and response) on all devices. The free version of Windows Defender might not cut it—insurers often want to see commercial-grade endpoint protection with managed updates.

Regular backups with offline/immutable copies. You need documented backup procedures with backups that are either offline or immutable (can’t be encrypted by ransomware). Cloud backups alone aren’t enough if they’re constantly mounted and accessible.

Test your backups too. Insurers are starting to ask for evidence that you’ve actually done recovery testing, not just that backups exist.

Patch management. Systems need to be kept up to date. Insurers will ask about your patch management process. If you’re running unpatched systems with known vulnerabilities, that’s a problem.

Email security. Basic email filtering for spam and malware. Most attacks start with phishing, so email security is critical. If you’re on Microsoft 365 or Google Workspace, you’ve got baseline protection, but some insurers want enhanced filtering.

Access controls. Principle of least privilege—users should only have access to systems they need. Admin rights should be limited. Guest and former employee access should be removed promptly.

The Documentation They’ll Want

It’s not enough to have security measures in place. You need to document them. Insurers will ask for:

IT security policies. Written policies for password management, acceptable use, remote access, BYOD, data handling. They don’t need to be elaborate, but they need to exist and be followed.

MFA implementation evidence. Screenshots showing MFA enabled on critical systems. Reports from your identity provider showing MFA adoption rates.

Backup logs. Evidence that backups are running successfully and regularly. Recovery test results showing you can actually restore from backups.

Employee training records. Proof that staff have completed security awareness training, particularly phishing awareness. Annual training is increasingly required.

Incident response plan. A documented plan for what you’ll do if you get hit by ransomware or a breach. Who do you call? What are the steps? It doesn’t need to be 50 pages, but it needs to exist.

Vendor/third-party risk management. If you use MSPs, cloud providers, or other vendors with access to your systems, insurers want to know how you manage that risk. Do you have contracts with security requirements? Do you review vendor security?

The Questions They’ll Ask

Beyond documentation, expect detailed questionnaire questions like:

• How many endpoints do you have and what protection is on them?
• What cloud services do you use and how are they secured?
• Do you allow remote access and how is it secured (VPN with MFA, zero-trust access, etc.)?
• How do you handle email security and phishing?
• What’s your data backup strategy and recovery time objective?
• Have you had any security incidents or breaches in the past three years?
• Do you handle sensitive data (health info, financial data, personal information)?
• What’s your annual revenue? (Higher revenue means higher coverage needs and more scrutiny)
• Do you have an IT department or do you outsource IT management?

Answer these honestly. Misrepresenting your security posture is a great way to have claims denied later.

What Boosts Your Insurability (And Lowers Premiums)

Beyond the baseline requirements, these factors help with getting coverage and reducing costs:

Working with a reputable MSP. If you’ve outsourced IT security to a credible managed service provider, insurers view that favourably. It shows professional management of security rather than ad-hoc efforts.

Working with an Australian AI company or security specialist that has a track record can strengthen your application—insurers trust established security partners.

Security certifications or frameworks. If you’re following a framework like Essential Eight or have relevant certifications (ISO 27001, etc.), that demonstrates maturity even if you’re a small business.

Cyber hygiene scores. Some insurers use third-party security rating services that scan your external footprint for vulnerabilities. A clean score helps. If you know you have issues, fix them before applying.

Claims history. Obviously, not having previous cyber claims is ideal. If you have had incidents, show what you did to remediate and prevent recurrence.

Industry risk level. Some industries (healthcare, finance, legal) are higher risk and face more scrutiny and higher premiums. Others are lower risk. You can’t change your industry, but know that it affects pricing.

What to Do If You Don’t Meet Requirements Yet

If you’re reading this and realising you don’t meet baseline requirements, don’t panic. But don’t delay either.

Implement MFA immediately. This is non-negotiable and you can do it quickly. Turn on MFA for Microsoft 365, Google Workspace, accounting software, and anything else critical.

Get endpoint protection deployed. Choose a commercial endpoint security solution and get it on all devices. This can be done in days.

Fix your backup situation. If you don’t have offline or immutable backups, set them up. Cloud backup with versioning and retention policies is a good start.

Document what you’re doing. As you implement security measures, document the policies and procedures. Don’t wait until everything is perfect—document what you have and your plan to improve.

Get security awareness training done. Put all staff through a basic security awareness course. There are plenty of affordable online options. KnowBe4, Proofpoint, and others offer SMB-friendly training.

Engage an MSP or security consultant if needed. If this feels overwhelming, get help. The cost of hiring security expertise is less than the cost of being uninsurable or suffering a ransomware attack.

Understanding Coverage and Exclusions

Even with insurance, understand what’s actually covered:

Ransomware and extortion are typically covered, including ransom payments (if you choose to pay) and recovery costs. But there might be sub-limits.

Business interruption from cyber incidents is often covered, but with waiting periods and limits. Understand what qualifies and what documentation you’ll need.

Regulatory fines and penalties may or may not be covered depending on the policy and the nature of the violation.

Nation-state attacks are increasingly excluded. If you get hit by sophisticated state-sponsored actors, you might not be covered.

Known vulnerabilities you failed to patch may not be covered. If there was a critical vulnerability you knew about and didn’t fix, claims might be denied.

War and terrorism exclusions are standard and getting stricter. Cyber attacks linked to warfare are often excluded.

Read the policy. Understand what’s covered and what’s not. Ask questions.

The Cost Reality

What does SMB cyber insurance actually cost in Australia?

It varies wildly based on size, industry, and security posture. But rough ranges:

• Small businesses (<$5M revenue): $2,000-$8,000 annually for $1-2M coverage
• Medium businesses ($5-20M revenue): $8,000-$25,000 annually for $2-5M coverage

Better security posture can cut premiums by 30-50%. Poor security can double them or make you uninsurable.

Coverage limits need to reflect your risk. If a ransomware attack could cost you $500K in recovery and downtime, $1M coverage is probably appropriate.

The Bottom Line

Cyber insurance is no longer optional for most businesses. Client contracts require it. Liability risk demands it. The question isn’t whether to get it, but how to get it at reasonable cost.

That means meeting baseline security requirements. MFA, endpoint protection, backups, patch management, security training. These aren’t just insurance requirements—they’re basic security hygiene that protect you even without insurance.

Start with the non-negotiables. Implement MFA and get backup sorted. Then work through the other requirements methodically.

Document everything. Insurers want evidence, not promises.

And don’t wait until after an incident to try to get coverage. Get insured now, while you can choose insurers and negotiate terms. After you’ve been hit, your options shrink dramatically.

Cyber insurance has evolved from “nice to have” to “cost of doing business.” The entry requirements have gotten stricter. But meeting them makes your business more secure regardless of the insurance benefit.

Do the work. Get covered. Sleep better.