A plain-English deep dive into cyber insurance for small and mid-sized businesses. Explains what it covers (first-party recovery and third-party liability), the security controls insurers now require before they will cover you (MFA, tested backups, EDR, patching, training, incident response), how to become insurable and lower your premium, and the common exclusions that trip businesses up. Cyber insurance is a backstop, not a substitute for the basics.

    Risk & Compliance Deep Dive
    What it covers, and what it now demands

    Cyber insurance: what it covers and what insurers now require

    Cyber insurance has gone from a nice-to-have to something clients and boards expect. But the market has tightened, and insurers now want proof you are doing the basics before they will cover you. Here is what a policy actually does, and what you need in place to get one.

    StartCloud6 July 20268 min read
    The short version

    The short version

    Cyber insurance covers two things: your own recovery costs after an incident, and your liability to others whose data was affected.

    The catch is that insurers now require security controls before they will cover you, and many of them line up with the Essential Eight: MFA, tested backups, endpoint protection, patching, and training.

    It is a backstop, not a substitute for the basics. Do the basics and you are both safer and cheaper to insure. Skip them and a claim can be reduced or refused.

    What it covers

    The two sides of a policy

    Your own recovery (first-party)

    The cost of getting your business back: incident response, data recovery, business interruption while you are down, and in some cases a ransom payment and cyber extortion support.

    Liability to others (third-party)

    The costs when someone else is affected: legal defence, breach notification, and claims from clients whose data was exposed through you.

    The requirements

    What insurers now expect you to have

    Cyber insurance used to be easy to get and cheap. After years of large claims, insurers tightened up. Most now ask you to declare specific controls, and you may be declined or pay more without them:

    • Multi-factor authentication on email, remote access, and admin accounts
    • Regular, tested backups that are kept separate from your main systems
    • Endpoint protection (modern EDR, not just basic antivirus)
    • Timely patching of operating systems and applications
    • Security awareness training for staff
    • A documented incident response plan

    If that list looks familiar, it should: it is essentially the Essential Eight in insurance language.

    Becoming insurable

    How to get covered, and pay less

    The good news is that the work you do to become insurable is the same work that actually protects your business. Put multi-factor authentication everywhere, get tested backups in place, run modern endpoint protection, keep systems patched, and train your team. Then be able to prove it.

    That last part matters. Insurers want evidence, not promises, and so do the auditors and clients who increasingly ask the same questions. A managed provider can put these controls in place and produce the documentation that goes on the insurance application, which is often what turns a declined or expensive quote into a reasonable one.

    The gotchas

    The traps to watch for

    Declaring controls you do not have. If you tick the box for MFA on the application but have not actually rolled it out, a claim tied to that gap can be reduced or refused. Only declare what is genuinely in place.

    Beyond that, watch for exclusions in the fine print, low sub-limits on the cover that matters most to you, and requirements to maintain controls throughout the policy, not just at sign-up. Read the schedule, and if in doubt, get someone technical to review the security questions with you before you answer them.

    Verdict

    The takeaway

    Cyber insurance is worth having, but treat it as the last line, not the first. The controls insurers demand are the same ones that stop most incidents happening in the first place, so the smart move is to build them because they protect you, and let the cheaper, easier insurance follow.

    We help Perth businesses put those controls in place and produce the evidence insurers and clients ask for. If you have an application to fill in, or a renewal with new security questions, that is exactly the kind of thing our managed security service handles.

    FAQ

    Common questions

    What does cyber insurance actually cover?

    Two broad areas. First-party covers your own recovery: incident response, data recovery, business interruption, and sometimes ransom and extortion costs. Third-party covers your liability to others: legal defence, breach notification, and claims from clients whose data was exposed. Exact cover varies by policy, so read the schedule.

    What do insurers require before they will cover us?

    Increasingly, controls like multi-factor authentication, tested backups, modern endpoint protection, timely patching, staff training, and an incident response plan. Many of these line up directly with the ACSC Essential Eight. If you cannot demonstrate them, you may be declined, pay a higher premium, or find a claim reduced.

    Can a claim be refused if our security was poor?

    Yes. If you declared controls you did not actually have, or a breach traces back to a control you were required to maintain and did not, an insurer can reduce or refuse a claim. Cyber insurance is a backstop, not a substitute for doing the basics.

    How can we lower our premium?

    Put the controls insurers ask for in place and be able to prove it. Aligning with the Essential Eight, running MFA everywhere, and having tested backups and monitoring not only reduces your risk, it often reduces your premium and makes you insurable in the first place.

    StartCloud Assistant

    Online

    G'day! 👋 I'm the StartCloud Assistant. How can I help you today?