A plain-English deep dive into cyber insurance for small and mid-sized businesses. Explains what it covers (first-party recovery and third-party liability), the security controls insurers now require before they will cover you (MFA, tested backups, EDR, patching, training, incident response), how to become insurable and lower your premium, and the common exclusions that trip businesses up. Cyber insurance is a backstop, not a substitute for the basics.
Cyber insurance: what it covers and what insurers now require
Cyber insurance has gone from a nice-to-have to something clients and boards expect. But the market has tightened, and insurers now want proof you are doing the basics before they will cover you. Here is what a policy actually does, and what you need in place to get one.
The short version
Cyber insurance covers two things: your own recovery costs after an incident, and your liability to others whose data was affected.
The catch is that insurers now require security controls before they will cover you, and many of them line up with the Essential Eight: MFA, tested backups, endpoint protection, patching, and training.
It is a backstop, not a substitute for the basics. Do the basics and you are both safer and cheaper to insure. Skip them and a claim can be reduced or refused.
The two sides of a policy
Your own recovery (first-party)
The cost of getting your business back: incident response, data recovery, business interruption while you are down, and in some cases a ransom payment and cyber extortion support.
Liability to others (third-party)
The costs when someone else is affected: legal defence, breach notification, and claims from clients whose data was exposed through you.
What insurers now expect you to have
Cyber insurance used to be easy to get and cheap. After years of large claims, insurers tightened up. Most now ask you to declare specific controls, and you may be declined or pay more without them:
- Multi-factor authentication on email, remote access, and admin accounts
- Regular, tested backups that are kept separate from your main systems
- Endpoint protection (modern EDR, not just basic antivirus)
- Timely patching of operating systems and applications
- Security awareness training for staff
- A documented incident response plan
If that list looks familiar, it should: it is essentially the Essential Eight in insurance language.
The traps to watch for
Declaring controls you do not have. If you tick the box for MFA on the application but have not actually rolled it out, a claim tied to that gap can be reduced or refused. Only declare what is genuinely in place.
Beyond that, watch for exclusions in the fine print, low sub-limits on the cover that matters most to you, and requirements to maintain controls throughout the policy, not just at sign-up. Read the schedule, and if in doubt, get someone technical to review the security questions with you before you answer them.
The takeaway
Cyber insurance is worth having, but treat it as the last line, not the first. The controls insurers demand are the same ones that stop most incidents happening in the first place, so the smart move is to build them because they protect you, and let the cheaper, easier insurance follow.
We help Perth businesses put those controls in place and produce the evidence insurers and clients ask for. If you have an application to fill in, or a renewal with new security questions, that is exactly the kind of thing our managed security service handles.
Common questions
What does cyber insurance actually cover?
Two broad areas. First-party covers your own recovery: incident response, data recovery, business interruption, and sometimes ransom and extortion costs. Third-party covers your liability to others: legal defence, breach notification, and claims from clients whose data was exposed. Exact cover varies by policy, so read the schedule.
What do insurers require before they will cover us?
Increasingly, controls like multi-factor authentication, tested backups, modern endpoint protection, timely patching, staff training, and an incident response plan. Many of these line up directly with the ACSC Essential Eight. If you cannot demonstrate them, you may be declined, pay a higher premium, or find a claim reduced.
Can a claim be refused if our security was poor?
Yes. If you declared controls you did not actually have, or a breach traces back to a control you were required to maintain and did not, an insurer can reduce or refuse a claim. Cyber insurance is a backstop, not a substitute for doing the basics.
How can we lower our premium?
Put the controls insurers ask for in place and be able to prove it. Aligning with the Essential Eight, running MFA everywhere, and having tested backups and monitoring not only reduces your risk, it often reduces your premium and makes you insurable in the first place.