Cyber insurance in ANZ: Why compliance is your best ally

While you may think of cyber insurance as just one more thing to add to the “things we should do but probably don’t really need,’ now’s the time to think again.

Cybersecurity in Australia can no longer be considered “best practice” or an IT hygiene issue. It’s now directly linked to your legal, regulatory, and director obligations, with multiple regimes converging around risk management, incident reporting, and governance.

The 2025 Veeam Ransomware Trends Report says that 69% of organisations experienced at least one ransomware attack in the past year. And many were attacked multiple times. Which means that for the majority, cyber insurance could well be a financial lifesaver in times of crisis.

But insurers are no pushovers. They demand that you are genuinely doing your best (and can prove it) to protect your business and its data.

The hardline approach

As expected, cyber insurance is a rapidly growing market. Insurance Business Mag reported in late 2025 that sectors more vulnerable to attack (such as healthcare) may face higher premiums and more restrictive terms. And as AI plays an increasing role in cybercrime, insurers’ policies are likely to be further enhanced for all policyholders.

What’s important to note is that there’s no wriggle room in cyber insurance. Claim denial is real, and adherence requirements are strict.

If you think that ANZ organisations have it tough by global standards for cyber insurance, you’re right. When Arctic Wolf surveyed 400 cyber insurance brokers and carriers worldwide, they found that ANZ insurers require an average of six security controls to qualify for cyber insurance. The rest of the world only requires five.

Why are our controls more rigorous?

That same Arctic Wolf research mentioned early cites two key drivers for the demand for six controls:

1. We’re an attractive target: Organisations in Australia and New Zealand are 9% more likely to experience a significant cyberattack than the global average.
2. The penalties are high: High‑profile regional breaches and stronger regulatory expectations (e.g., Privacy Act, APRA CPS 234 influence)

Multiple independent reports also say that as well as our control number being higher than the global average, our insurers take a stricter approach to the depth of verification.

The widely reported trend in ANZ‑specific market analysis and broker commentary is that our underwriters are increasingly scanning external attack surfaces, validating MFA coverage depth, requesting evidence of EDR deployment and backup immutability and logging, and re-verifying controls at claim time.

The Essential Eight enforced?

While not a mandatory government requirement (although strongly advised), alignment with the Essential Eight is now being driven by our insurers.

Most now require controls that map directly to the Essential Eight maturity levels – and some won’t even provide quotes unless you can say ‘absolutely – yes!’ to the following questions – and partial implementation is often treated as non‑compliance:

• Do you first use MFA across all cloud and remote access points?
• Have you enforced application allowlisting?
• Is your patching done within the recommended timeframes?
• Do you have EDR (endpoint detection and response) on all your workstations and servers?
• Do you do daily backups with offline or immutable copies?
• Do you enforce user access reviews and privileged account controls?
• Are your people supported and educated with security awareness training?

But it;s no use just being able to say ‘yes’ to these questions; insurers will often ask you to demonstrate that you have these controls in place.

And after several high-profile vendor-linked breaches here in Australia, they’re also throwing in questions about your supply chain risk: how you assess it, whether your vendors meet baseline security requirements, and what controls your managed IT provider enforces.

Lining up your cybersecurity ducks

Compliance is key not only to keeping your organisation safe but also to being eligible for cyber insurance, to start with, and even influencing your premiums.

The six security controls you must enforce to be compliant and insurance ready are:

1. Email security – preventing phishing, malware, and other malicious emails before they reach users.
2. Identity and access management (IAM) – enforcing strict control over who can access systems, applications, and data.
3. Multi‑Factor Authentication (MFA) – strengthening login security across all systems, with priority on remote access and privileged accounts.
4. Endpoint Detection and Response (EDR) – continuously monitoring endpoints (workstations and servers) to rapidly detect, contain, and stop threats.
5. Regular, secure backups – maintaining encrypted, tested backups that are isolated from the network to minimise ransomware impact.
6. Patch management – keeping operating systems and software up to date to address vulnerabilities before they can be exploited.

Insurers also consider advanced protections, such as 24/7 security operations centres (SOCs) and managed detection and response services, as highly impactful.

Resilience is better than regret

While it might not feel like it at the time, ensuring your cybersecurity controls meet insurers’ expectations and requirements also pays off for your organisation.

Your premiums are likely to be lower, and your diligence in maintaining and improving those controls in the face of high regional risk helps mature your security posture.

You have everything to gain, and nothing to lose.