Skip to content
Communicat IT

Insurance Compliance

Cyber Insurance Readiness

Meet insurer requirements. Reduce premiums. Get claims paid.

40% of cyber insurance claims were denied in 2024. Most businesses don't know they have gaps until it's too late. We help you meet insurer requirements, complete applications accurately, and prove the security posture that gets claims paid.

Meet 6 AU/NZ ControlsReduce Premiums 10-30%Assessments from $2,500
Get Readiness Assessment View 6 Required Controls
$467M

Australian cyber insurance market 2025

40%+

Of cyber insurance claims denied in 2024

6

Minimum controls required in AU/NZ (vs 5 global)

$4.26M

Average Australian breach cost in 2024

The Rules Have Changed

2025 Reality Check

  • More than 40% of cyber insurance claims were denied in 2024 — mostly for security gaps businesses didn't know they had
  • Australian insurers now require a minimum of 6 security controls (vs 5 globally) — we're a bigger target
  • From 30 May 2025, businesses over $3M revenue must report ransomware payments within 72 hours — or face penalties
  • 82% of successful claims involved organisations that had multi-factor authentication in place
  • Only 18% of applicants can confirm they have all four essential controls implemented

Your cyber insurance policy is only as good as your ability to prove you met the requirements.

We make sure you can.

This Service Is For You If...

You recognise yourself in any of these situations

  • Your cyber insurance renewal is coming up and you're not sure you'll qualify
  • You've been asked to complete an insurance questionnaire you don't fully understand
  • Your premiums have increased significantly and you want to reduce them
  • You're concerned your claim would be denied if you had an incident
  • You've been told you need MFA, EDR, or "better security" but don't know where to start
  • Your business is over $3M revenue and you're not prepared for ransomware reporting requirements
  • You want to know exactly what security controls you need to maintain coverage
  • A competitor or client has asked for evidence of your cyber insurance and security posture

Why 40%+ of Claims Get Denied

The top reasons businesses don't get paid when they need it most

  • 35%

    Missing or incomplete MFA

    Insurers require MFA on all remote access, email, and privileged accounts. Partial implementation doesn't count.

  • 25%

    Inadequate endpoint protection

    Traditional antivirus no longer qualifies. Insurers require EDR/MDR with 24/7 monitoring.

  • 20%

    Policy exclusions not understood

    A quarter of denials happen because businesses didn't realise certain incidents weren't covered.

  • 12%

    Late incident notification

    Most policies require notification within hours. Delays can void coverage entirely.

  • 8%

    Misrepresentation on application

    Claiming you have controls you don't actually have = automatic denial and potential fraud.

The 6 Controls Australian Insurers Demand

AU/NZ insurers require 6 controls (vs 5 globally) because we're 9% more likely to be attacked

Multi-Factor Authentication (MFA)

Enforced on all remote access, email, cloud apps, and privileged accounts

Acceptable

  • Microsoft Authenticator
  • Duo
  • Hardware tokens (FIDO2)
  • Conditional Access policies

Not Acceptable

  • SMS-only MFA
  • MFA "available" but not enforced
  • Partial rollout

Endpoint Detection & Response (EDR)

24/7 monitored EDR on all endpoints including servers

Acceptable

  • CrowdStrike Falcon
  • SentinelOne
  • Microsoft Defender for Endpoint (E5)
  • Managed MDR service

Not Acceptable

  • Traditional antivirus
  • Unmonitored EDR
  • Consumer-grade products

Backup & Recovery

Tested backups with offline/immutable copies and documented RTO/RPO

Acceptable

  • 3-2-1 strategy with tested restores
  • Immutable cloud backups
  • Air-gapped copies

Not Acceptable

  • Untested backups
  • Online-only backups (ransomware-accessible)
  • No documented recovery plan

Patch Management

Critical patches within 48 hours, all patches within 14 days

Acceptable

  • Automated patching with reporting
  • Vulnerability management program
  • Documented exceptions

Not Acceptable

  • Manual ad-hoc patching
  • 30+ day patch cycles
  • No visibility into patch status

Privileged Access Management

Restricted admin rights, separate accounts, least privilege

Acceptable

  • No day-to-day admin rights
  • Separate admin accounts
  • PAM solution
  • Just-in-time access

Not Acceptable

  • Users with local admin
  • Shared admin accounts
  • Domain admin for daily use

Security Awareness Training

Regular training with phishing simulations for all staff

Acceptable

  • Quarterly training modules
  • Monthly phishing simulations
  • Documented completion rates

Not Acceptable

  • One-time training
  • No simulations
  • No completion tracking

Insurance Questionnaire Decoded

What insurers really ask, and what they actually want

  • Do you require MFA for all remote access and web-based email?

    What They Really Mean

    Is MFA enforced (not just available) for VPN, RDP, O365, and all cloud apps?

    Evidence Needed

    Admin console screenshots showing MFA policies enabled and enforced

    The Gotcha

    Having MFA "available" but not "enforced" doesn't count

  • What endpoint security solutions do you use?

    What They Really Mean

    Do you have real-time EDR with automated response, not just antivirus?

    Evidence Needed

    Dashboard showing all endpoints protected, recent alerts, and isolation capabilities

    The Gotcha

    Windows Defender alone typically doesn't qualify without E5 licensing and proper configuration

  • Do you have tested backup and recovery procedures?

    What They Really Mean

    Can you prove your backups work and are protected from ransomware?

    Evidence Needed

    Recent test restore documentation, 3-2-1 backup strategy confirmation, immutable/air-gapped copies

    The Gotcha

    "We back up nightly" isn't enough — they want tested, documented recovery

  • Do you have an incident response plan?

    What They Really Mean

    Is there a written plan with defined roles that's been tested?

    Evidence Needed

    Documented IR plan, evidence of tabletop exercises or drills

    The Gotcha

    A plan that's never been tested is almost as bad as no plan

  • How quickly do you patch critical vulnerabilities?

    What They Really Mean

    Can you prove you patch internet-facing systems within 48 hours of critical CVEs?

    Evidence Needed

    Patch management reports, vulnerability scan results

    The Gotcha

    30-day patching cycles are no longer acceptable for critical vulnerabilities

  • Do you have security awareness training?

    What They Really Mean

    Are all staff trained regularly with documented completion?

    Evidence Needed

    Training completion reports, phishing simulation results

    The Gotcha

    Annual training isn't enough — insurers want ongoing training and simulations

What Happens Without Proper Cover

The real financial impact when things go wrong

Ransomware attack — claim denied

$50,000 - $500,000+

You pay the ransom, recovery costs, legal fees, and notification costs out of pocket. Average ransomware recovery: $1.85M.

Business email compromise — not covered

$20,000 - $2,000,000+

Wire fraud from a compromised email. Many policies exclude social engineering or have sub-limits.

Data breach — policy voided for misrepresentation

$100,000 - $4,260,000+

If you claimed MFA was implemented but it wasn't, the entire policy can be voided. You're fully exposed.

Ransomware payment — failed to report within 72 hours

Up to $19,800 penalty + reputational damage

From May 2025, businesses over $3M must report payments within 72 hours. Non-compliance = civil penalties.

Your Insurance Readiness Journey

From gap analysis to evidence package in 4-8 weeks

  1. Week 1

    Gap Assessment

    We assess your current security posture against what insurers actually require. No guessing.

    Deliverable

    Gap analysis report with RAG status for each control

  2. Week 2

    Remediation Plan

    Prioritised roadmap to close gaps before your renewal. Quick wins first, complex items scheduled.

    Deliverable

    Remediation plan with timelines and responsibilities

  3. Weeks 3-6

    Implementation Support

    We help implement or verify controls. MFA rollout, EDR deployment, policy documentation.

    Deliverable

    Implemented controls with evidence collected

  4. Week 6-8

    Evidence Package

    Comprehensive evidence package for your application or renewal. Screenshots, reports, attestations.

    Deliverable

    Insurance-ready evidence folder + questionnaire assistance

Premium Reduction Opportunities

Insurers reward businesses that demonstrate strong security. Here's what can reduce your premiums.

Actual reductions vary by insurer, industry, and claims history. These are typical ranges we see.

  • 24/7 MDR/SOC monitoring

    Biggest single premium reducer

    10-20%

  • MFA everywhere (enforced)

    Table stakes, but reduction still available

    5-15%

  • Essential Eight compliance

    Australian framework recognised by local insurers

    5-15%

  • ISO 27001 certification

    Formal certification carries weight

    5-10%

  • Documented incident response

    With evidence of testing/exercises

    5-10%

  • Security awareness program

    Ongoing training + phishing simulations

    3-5%

Deadline Alert

Ransomware Payment Reporting

Effective 30 May 2025

The Cyber Security Act 2024 introduces mandatory ransomware payment reporting for Australian businesses.

Who Must Report

  • Businesses with annual turnover exceeding $3 million
  • Responsible entities for critical infrastructure assets

Requirements

  • Report any payment within 72 hours to ASD via ACSC portal
  • Include payment amount, cryptocurrency details, incident description
  • Non-compliance: up to $19,800 penalty

We help you build incident response plans that include these reporting requirements.

Who Needs This Most

Industries where insurance readiness is critical

Professional Services

Client data, trust accounts, confidential information — high-value targets with reputational risk

Healthcare

Patient data, Medicare compliance, operational continuity requirements

Financial Services

APRA CPS 234/230 requirements, client funds, regulatory scrutiny

Manufacturing

OT/IT convergence, supply chain pressure, ransomware targeting

Government Suppliers

Essential Eight requirements increasingly tied to contract eligibility and insurance

Any business over $3M revenue

New ransomware reporting requirements from May 2025

Services That Support Insurance Readiness

Implement the controls insurers require

Frequently Asked Questions

Ready to Meet Insurer Requirements?

Find out where you stand before your renewal. Gap analysis from $2,500 — no last-minute panic.

Get Readiness Assessment

Renewal coming up? We prep 8–10 weeks out.