Cyber insurance for Australian SMEs in 2026: what insurers expect

Australian cyber insurance underwriting has tightened significantly through 2024 and 2025, and most insurers will now decline cover or apply ransomware sub-limits to SMEs that don't have multi-factor authentication, EDR on every endpoint, immutable backups, and basic Essential Eight maturity. Premiums have stabilised after the 2022-23 spike but cover is more conditional. The "tick-and-flick" application form has been replaced by detailed technical questionnaires and, for higher cover, evidence of controls. SMEs that haven't invested in security controls increasingly find that cyber insurance is either expensive or unavailable.

Key facts

• Australian cyber insurance premiums increased 50-100%+ between 2021 and 2023, driven by ransomware loss ratios; pricing has stabilised through 2024-2025.
• Most insurers now require MFA on email and admin accounts, EDR on every endpoint, and immutable or offline backups as minimum underwriting conditions.
• Ransomware sub-limits (cover capped well below the policy aggregate) are now common, particularly for SMEs without strong controls.
• War exclusions following Lloyd's market changes have tightened, with state-sponsored attack scenarios sometimes excluded entirely.
• Reporting under the Cyber Security Act 2024 is now a policy condition for many insurers; non-reporting can void cover.
• Insurers increasingly request third-party security attestations (Essential Eight maturity assessment, ISO 27001, cyber security ratings) for cover above AU$1 million.

What is cyber insurance and what does it cover?

Cyber insurance covers financial losses and third-party liabilities arising from cyber incidents: ransomware, business email compromise, data breaches, business interruption following an attack, regulatory investigation costs, customer notification expenses, and legal liability arising from data exposure. Specific cover varies by policy, but most Australian SME cyber policies include first-party costs (incident response, forensics, business interruption) and third-party liability (claims by customers or regulators).

What cyber insurance typically does not cover: pre-existing breaches not yet discovered, intentional acts by directors and officers, war and terrorism (where excluded), failure to maintain stated security controls (where the application form misrepresented the actual position), and claims arising from countries on sanctions lists.

For Australian SMEs, typical 2026 policy aggregates run from AU$500,000 to AU$5 million for small and mid-market businesses, with annual premiums anywhere from AU$3,000 to AU$50,000+ depending on revenue, sector, controls, and claims history.

Why is cyber insurance harder to get in 2026?

Three forces have reshaped the market over the past four years.

Ransomware loss ratios. Cyber insurers paid out aggressively on ransomware claims in 2020-2022, with global loss ratios in the 70-90% range across multiple years. The market response was inevitable: tighter underwriting, sub-limits on ransomware specifically, premium increases, and refusal to cover applicants without baseline controls.

State-sponsored attribution complexity. Following the 2022 Lloyd's market bulletin requiring revised war exclusions, most insurers tightened the language around state-sponsored attacks. The practical effect is that some major incidents that would have been covered in 2020 may now fall in the war exclusion, particularly if attribution to a state actor or state-sponsored group is established.

Evidence-based underwriting. Insurers learned that application forms self-attesting to security controls didn't predict claims accurately. The current generation of underwriting uses external security ratings, Essential Eight maturity assessments, and detailed technical questionnaires that are harder to bluff. Several insurers will require external scans of the applicant's public-facing infrastructure as part of the application.

What controls do cyber insurers require for SMEs in 2026?

The required controls vary by insurer, but a common 2026 baseline for Australian SME cyber cover is:

MFA on email, remote access, and admin accounts. This is universal. No serious insurer will issue cyber cover to an SME without MFA on Microsoft 365 or Google Workspace, on remote access (VPN, RDP, RMM), and on privileged accounts. Some insurers now also require MFA on customer-facing portals and finance system logins.

EDR or next-generation antivirus on every endpoint. Traditional signature-based AV no longer satisfies most underwriting requirements. The expectation is behavioural detection (Sophos Intercept X, Microsoft Defender for Endpoint, SentinelOne, CrowdStrike) rather than signature-based.

Immutable or offline backups. Insurers want evidence that ransomware can't encrypt or delete the backups. The technical bar is typically immutable backups (Proxmox Backup Server with immutability, Veeam with hardened repositories, cloud backup with object lock) or air-gapped backups, with documented restore testing.

Email security and phishing awareness. Email gateway protection (Mimecast, Microsoft Defender for Office 365), phishing simulation training, and DMARC/DKIM/SPF properly configured. Around 85% of Australian SME cyber incidents start with email.

Patching discipline. Some insurers ask for evidence of patching cadence, particularly for internet-facing systems. Patching critical vulnerabilities within 14 days of vendor release is becoming common as a written requirement.

How does Essential Eight maturity affect cyber insurance?

The ASD Essential Eight has become a useful shorthand for cyber maturity in Australian insurance underwriting. Insurers don't necessarily require formal Essential Eight assessments, but most ask questions that map directly onto the eight controls: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.

For SMEs, hitting Maturity Level 1 across the Essential Eight typically satisfies most underwriting requirements. Maturity Level 2 (still affordable for an SME) typically improves premium pricing or unlocks higher cover. Maturity Level 3 is largely an enterprise concern but signals strong underwriting.

For SMEs servicing government clients or regulated industries, an Essential Eight maturity assessment is increasingly contractually required, separately from cyber insurance. Doing the assessment once and using it for both insurance and customer due diligence is efficient.

What should an SME do before applying for cyber insurance?

Six practical steps that improve both insurability and security posture.

1. Document your controls before the application form arrives. Insurers ask the same 50-100 questions about MFA coverage, EDR deployment, backup architecture, patching cadence, and incident response plans. Writing these answers down once, accurately, is a one-week project that pays back across multiple insurance applications.

2. Close the obvious gaps before applying. If MFA isn't on every email account, fix that first. If admin accounts are still using shared passwords, fix that. If backups haven't been tested in the last quarter, test them. Each obvious gap that's still present at application time either kills the application or pushes the premium materially higher.

3. Run an external attack surface scan. Tools like SecurityScorecard, Bitsight, or even ASD's free Cyber Hygiene service show what an external attacker (or an insurance underwriter using similar tools) can see about your public-facing infrastructure. Closing externally-visible vulnerabilities before the underwriter looks at you is cheap and effective.

4. Get an Essential Eight maturity assessment if you can. Even at Maturity Level 1, having a documented assessment improves underwriting outcomes and gives you a clear improvement roadmap.

5. Use a broker who knows cyber. Cyber insurance is technical. A specialist broker who understands the controls and can negotiate sub-limits and exclusions on your behalf typically pays for themselves in the first policy year.

6. Don't misrepresent the application form. Cyber claims are increasingly being declined where the insured's application form overstated control coverage. If MFA is on 80% of accounts, write 80%, not 100%. The lower premium isn't worth the voided cover when a claim is declined for misrepresentation.

Frequently asked questions

How much does cyber insurance cost for an Australian SME?

Annual premiums for Australian SMEs in 2026 typically range from AU$3,000 for small businesses with strong controls and AU$1 million in cover, to AU$30,000-50,000+ for larger SMEs with AU$5 million in cover or higher-risk profiles. Pricing depends heavily on annual revenue, sector, security controls in place, claims history, and the policy structure (deductible, ransomware sub-limits, business interruption cover).

What's the minimum security required for cyber insurance in Australia?

Most insurers now require MFA on email and admin accounts, EDR or next-generation antivirus on every endpoint, immutable or offline backups with tested restore, and email security gateway protection. Some insurers add patching cadence requirements and phishing simulation training. Below these minimums, cyber insurance is increasingly difficult to obtain at any reasonable price.

Does my SME need cyber insurance if we follow the Essential Eight?

Essential Eight reduces the likelihood and impact of cyber incidents but doesn't eliminate them. Cyber insurance covers the financial consequences when an incident does occur: forensic investigation, business interruption, customer notification, regulatory investigation, and third-party liability. For most SMEs handling personal or financial information, both controls and insurance make sense, with Essential Eight reducing premiums and Essential Eight Maturity Level 2+ unlocking higher cover.

Will cyber insurance pay the ransomware ransom?

Some policies cover ransom payments and some explicitly exclude them. Where cover is provided, ransomware sub-limits (cover capped well below the policy aggregate) are now common. Insurers increasingly require pre-approval before any ransom is paid, and may decline cover if the payment falls foul of sanctions, AUSTRAC AML/CTF rules, or the entity's reporting obligations under the Cyber Security Act 2024.

Does my cyber insurance still cover me if I don't report a ransomware payment?

Probably not. Many cyber insurance policies now include compliance with statutory obligations as a policy condition. Failure to report a ransomware payment to ASD within 72 hours, where required under the Cyber Security Act 2024, can be grounds for claim denial. Reporting is a low-effort, statutorily-protected action; not reporting puts both your statutory and insurance position at risk.

If you'd like a hand getting your security controls to the level cyber insurers expect, running an Essential Eight maturity assessment, or preparing a clean application form that gets you the best premium your controls deserve, we can run a cyber insurance readiness review tailored to where your SME sits today.