Back to Resources Insurance & Due Diligence

Cyber Insurance for Small Business: What Insurers Are Actually Asking — and What Gets Claims Denied

Cyber insurance has changed dramatically in the past three years. Applications are now far more detailed, premiums are higher, and insurers are scrutinising claims more carefully than ever. Here's what you need to know before your next renewal.

23 January 2026  ·  7 min read

Three years ago, getting cyber insurance for a small business meant answering a handful of broad questions about your industry and revenue, paying a modest premium, and assuming you were covered. That era is over.

Following a significant increase in claims globally — particularly ransomware payouts and business email compromise losses — cyber insurers have substantially tightened their underwriting standards. This trend is well documented by the Insurance Council of Australia and industry brokers: applications now include detailed technical questions about your security controls, premiums have increased for businesses that cannot demonstrate basic security hygiene, and claim investigations have become thorough enough to uncover gaps between what was stated on an application and what was actually in place at the time of the incident.

If your answers on the application overstate your security posture — even unintentionally — your claim can be denied, your policy voided, and you may face allegations of misrepresentation. This article explains what insurers are actually asking, what they're looking for, and how to make sure you're genuinely covered when you need it. A clear picture of what actually happens when a business gets hacked — the notification timeline, regulatory obligations, and financial exposure — is useful context for understanding what you're insuring against.

What a Modern Cyber Insurance Application Actually Asks

The specific questions vary by insurer, but most Australian cyber insurance applications for small businesses now ask about all of the following:

Multi-Factor Authentication (MFA)

Almost every cyber insurer now asks whether multi-factor authentication (MFA) is enabled, and on what systems. Common specific questions include whether MFA is enabled on email (yes/no), remote access systems, cloud services, and financial/banking systems. Some insurers now make MFA on email a prerequisite for coverage — not just a premium modifier. If you answer "yes" to having MFA enabled but it's only on one of five systems, that may be considered a material misrepresentation.

Backups

Insurers ask whether you have backups, how frequently they run, whether they're stored separately from your main systems, and — critically — whether you've tested restoration. A backup that's never been restored from is an assumption, not a verified control. Insurers understand this distinction and underwriters who specialise in cyber can tell from claim circumstances whether backups were actually functional.

Endpoint Protection

Questions about antivirus and endpoint detection and response (EDR) software — whether it's installed, whether it's current, and whether it covers all devices including staff personal devices used for work — known as bring-your-own-device (BYOD). The BYOD question catches many small businesses — personal devices used to access work email or cloud systems are attack vectors that most businesses haven't thought about systematically.

Patch Management

Whether software and operating systems are kept up to date, how quickly critical patches are applied, and whether there's a process (even a simple one) for managing updates across the business. Attackers actively scan for businesses running known-vulnerable software versions. An unpatched system at the time of a breach can be cited as a contributing factor in claim denial.

Staff Training

Whether staff receive any form of security awareness training, and how frequently. This doesn't need to be a formal training programme — even documented awareness briefings at team meetings count. What insurers are looking for is evidence that staff aren't completely unaware of phishing, credential theft, and social engineering.

Incident Response

Whether you have any form of incident response plan. Again, this doesn't need to be sophisticated — but "no plan at all" is a significant underwriting flag, because it suggests that even if an attack is detected, the response will be chaotic and the damage amplified.

What underwriters are actually evaluating: They're trying to assess whether a claim is likely, and whether the business took steps to reduce that likelihood. A business that can demonstrate documented, systematic security practices represents a materially different risk profile to one that hasn't thought about security at all. The documentation is nearly as important as the controls themselves.

Common Reasons Cyber Claims Are Denied

Claim denial in cyber insurance is more common than most policyholders expect. The most frequent grounds include:

Misrepresentation on the Application

The most serious ground for denial. If your application stated that MFA was enabled on all email accounts and the forensic investigation finds that it wasn't, the insurer has grounds to void the policy entirely — not just for this claim, but potentially retroactively. This applies even if you genuinely believed the statement was accurate at the time. "I thought IT had set it up" is not a defence.

Pre-Existing Vulnerability

If investigation reveals that the breach was caused by a vulnerability that existed before the policy inception — an unpatched system, a known malware infection, or compromised credentials already circulating before coverage began — insurers may argue the loss arose from a pre-existing condition not covered under the policy.

Failure to Maintain Stated Controls

Some policies include a maintenance warranty — a requirement to maintain the security controls stated in the application throughout the policy period. If you stated that backups ran daily but they'd actually been failing silently for three months before the ransomware hit, the insurer may deny the claim on the basis that warranted controls weren't maintained.

Exclusions for Specific Attack Types

Policy exclusions vary considerably. Common exclusions include losses from social engineering where no system was technically compromised (relevant for CEO fraud and invoice redirection), losses from unencrypted portable devices, and losses attributable to the actions of current or former employees. Read your policy exclusions carefully — the exclusion that seems unlikely is often the one that applies.

A note on social engineering exclusions: Business email compromise (BEC) — where an attacker redirects a payment by manipulating email communications — is one of the most common causes of loss for Australian small businesses. Many standard cyber policies exclude or sub-limit social engineering losses. If BEC is a genuine risk for your business (it is for most), make sure your policy specifically covers it and check the sub-limit carefully.

What Genuinely Covered Looks Like

Businesses that receive full payouts after a cyber claim typically share a few characteristics. Their application answers were accurate because they'd actually assessed their security posture before completing the application. Their controls were documented, even simply. They had backups that worked and could demonstrate it. And when the incident occurred, they followed their incident response plan — even a basic one — which created a clear record of their response.

The common thread is documentation. Controls that exist but aren't documented are much harder to defend than controls that are both in place and evidenced. An insurer investigating a claim is looking for reasons to pay — but they're also under obligation to their own shareholders to verify that representations were accurate. Documentation makes verification straightforward.

How to Prepare for Your Next Renewal

Before your next renewal — or before you apply for the first time — work through the key questions the application will ask and verify that your answers are accurate:

Pre-Renewal Security Checklist

  • MFA is enabled on email, banking, cloud services, and remote access — and you've verified it, not just assumed
  • Backups are running and you've tested restoration in the past three months
  • Backups are stored separately from your main systems (so ransomware can't reach them)
  • All business devices are running current operating systems and have up-to-date software
  • Antivirus or endpoint protection is installed and current on all devices used for work
  • Staff have received some form of security awareness training this year
  • You have a basic incident response plan — even a one-page document
  • You know your notification obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme
  • You have documentation of the above — not just the controls themselves

If you can't confidently answer yes to each of these, address the gaps before completing your renewal application. Insurers are increasingly asking for attestation — a formal declaration that the stated controls are in place. Getting that wrong has consequences beyond the premium.

The Relationship Between Insurance and Due Diligence

Cyber insurance is a risk transfer mechanism, not a substitute for security. Insurers are increasingly pricing this into their products — businesses with stronger documented security postures get better premiums and broader coverage. Businesses with weak or undocumented security pay more for less coverage.

The controls insurers ask about closely align with the ASD's Essential Eight framework — implementing those baseline mitigations addresses most of what underwriters are looking for. And understanding what actually happens when a business gets hacked — the notification obligations, financial exposure, and operational impact — makes the value of genuine coverage clear.

The practical implication is that investing in a structured security assessment before renewal serves two purposes simultaneously: it improves your actual security posture, and it produces the documentation that supports accurate application answers and substantiates your claim if you ever need to make one.

A health check report that documents your assessment, identifies your gaps, and records the steps you took to address them is exactly the kind of evidence an insurer wants to see — both at application and, if it comes to it, at claim.

Note: Cyber insurance policy terms, exclusions, and underwriting requirements vary significantly between insurers and change frequently. The information in this article reflects general market trends. Always review your specific policy wording and consult a qualified insurance broker before making coverage decisions.

Document Your Security Posture Before Renewal

Our Small Business Cyber Security Health Checks walk you through the controls insurers ask about — in plain English, with no technical knowledge required. You'll get a scored assessment, a prioritised gap list, and a written report you can reference at renewal or keep as evidence of due diligence.

Find Your Health Check

Related Articles

What Happens If Your Business Gets Hacked

Insurance kicks in after an incident — understanding exactly what happens during and after a breach shows why coverage matters.

The Essential Eight

Insurers increasingly expect Essential Eight controls as a baseline — implementing them reduces both your risk and your premium.

Privacy Act Reforms: What Australian Businesses Must Know

The strengthened NDB Scheme increases the cost consequences of a breach — making adequate cyber insurance more important than ever.

References

  1. Australian Signals Directorate, Annual Cyber Threat Report 2024–25, October 2025. cyber.gov.au
  2. Office of the Australian Information Commissioner, Notifiable Data Breaches scheme. oaic.gov.au
  3. Insurance Council of Australia, Cyber Insurance. insurancecouncil.com.au
  4. Gallagher Australia, Cyber insurance market update — broker reporting on tightening underwriting requirements and premium increases for Australian SMBs.
  5. Australian Competition and Consumer Commission, Scamwatch — Business email compromise. scamwatch.gov.au
  6. Privacy Act 1988 (Cth), Insurance Contracts Act 1984 (Cth) — duty of disclosure obligations at s.21.