Cyber insurance for Australian SMBs in 2026: what underwriters actually want

By Greg Markowski / Jun 3, 2026 / Cybersecurity & Compliance

The cyber insurance market for Australian SMBs has changed materially over the past 24 months. Premiums have risen, coverage has narrowed, and underwriters now ask much harder questions on the application. Businesses that breeze through their renewal without thinking carefully about the answers are increasingly finding their policies declined, sublimited, or excluded in ways they did not expect.

This is a practical guide to what cyber insurance underwriters now want from AU SMBs, why the questions have changed, and what to have ready before your next renewal conversation.

Why underwriting tightened

Three forces drove the change. First, claims experience: ransomware claims grew faster than premium pool through 2022-2024. Insurers re-priced and re-scoped. Second, the regulatory environment: Privacy Act penalties, mandatory ransomware reporting, and the broader compliance burden mean insurers are exposed to more breach-related costs than ever before. Third, Microsoft 365 commoditisation: with most SMBs now in the same cloud, breach patterns are consistent and underwriters can ask sharper questions about specific controls.

The result is an underwriting questionnaire that looks far more like a cybersecurity audit than the broad-strokes application of 2020. AU SMBs who have not refreshed their cybersecurity posture in line with this are seeing rising premiums or declined renewals.

The questions underwriters now ask

From recent AU SMB applications we have helped clients complete, the questions cluster into five areas.

Multi-factor authentication. Is MFA enabled on email, on remote access, on administrative accounts, on cloud platforms, on the financial system? Insurers want yes-on-everything answers with evidence. Partial MFA coverage is now treated as a material risk factor.

Endpoint protection. Specifically endpoint detection and response (EDR), not just legacy antivirus. Insurers want to know which EDR product is deployed, whether it is centrally managed, and what the response process is when an alert fires. Without EDR on every endpoint, expect higher premium or coverage limitations.

Backup and recovery. Are backups separated from the production network (immutable or air-gapped)? When were they last tested with a full restore? What is the recovery time objective for the systems backed up? Insurers know that ransomware claims are dominated by businesses whose backups were not tested or were on the same network the ransomware encrypted.

Operating system support status. The new question, post-October 2025. Are any endpoints running unsupported operating systems? Windows 10 endpoints in 2026 trigger this question. “Yes” answers result in coverage exclusions or premium loading.

Framework alignment. Is your business aligned to Essential Eight or SMB1001 or ISO 27001? Insurers want concrete evidence: certification, a recent gap assessment, an ongoing programme. Self-attestation without a framework reference is the weakest possible answer.

What coverage looks like in 2026

For a typical 50-person Perth SMB with reasonable controls, current market pricing for cyber insurance is roughly $5,000-12,000 per year for $1-2 million in coverage. Two years ago the same business paid $2,500-5,000. Three years ago $1,500.

The coverage itself is also narrower. Common exclusions and sublimits we now see include:

Read the policy wording before assuming any specific coverage applies. The 2024 and 2025 wordings are substantially different from 2022 wordings, and broker-supplied summaries do not always reflect the changes.

What to have ready for your next renewal

Six months before renewal is the right time to start. Three months out is workable. Last month is too late to fix anything material.

An accurate cybersecurity controls inventory. List every control underwriters typically ask about (MFA, EDR, backup, patching, email security, training) and document the current state for each. “We have MFA” is not an answer; “MFA enforced on all M365 accounts with conditional access, MFA on admin accounts via FIDO2 keys, MFA on Azure AD privileged identity management with PIM” is an answer.

Framework alignment evidence. If you have SMB1001 or Essential 8 alignment, gather the certificate or recent gap assessment. If you do not, consider whether the cost of getting to SMB1001 Bronze or Silver before renewal is worth the premium reduction. We have seen $15-25% premium reductions tied directly to demonstrable framework alignment.

Incident response plan. A written document, dated within the past 12 months, with named accountabilities and tested procedures. Insurers now ask for this directly. Businesses without one are treated as higher risk.

Recent breach history (yours and your sector). Be ready to discuss any near-misses, attempted breaches, or industry incidents. Underwriters research this independently anyway, and proactive disclosure with context is materially better than the underwriter discovering it second-hand.

The relationship with cybersecurity controls

Cyber insurance is increasingly behaving like a forcing function for cybersecurity investment. The premium differential between a business with strong controls and weak controls is now large enough that paying for the controls is cheaper than paying for the premium loading.

For a 50-person Perth SMB, deploying EDR, implementing SMB1001 Silver, and producing a tested incident response plan typically costs $15,000-25,000 in year one and $5,000-10,000 ongoing. The premium reduction often pays for half of this in year one alone, and the avoided breach cost (if you ever have one) pays for it many times over.

The maths only works if your business actually does the work, not just answers the application questions optimistically. Insurers are doing post-incident validation more aggressively now. A claim disputed because the application answers misrepresented controls is worse than no insurance at all.

How Epic IT helps

For our managed cybersecurity clients, we provide an annual cyber insurance readiness review as part of the standard service. The output is the controls inventory, the framework alignment evidence, and the documentation your broker needs to negotiate the best available terms.

For businesses without managed cybersecurity in place, we offer cyber insurance readiness reviews as a standalone engagement. The engagement typically takes 2-3 weeks and delivers a documented controls inventory, gap analysis against current market underwriting expectations, and a recommended remediation programme to close gaps before renewal.

What you should do now

Confirm your cyber insurance renewal date and start preparing six months out. If your renewal is within three months, get the controls inventory underway this week. Late preparation costs measurably in premium and coverage terms.

Read your current policy wording, not the broker summary. Focus on exclusions and sublimits, particularly around ransomware, business interruption, and unsupported endpoints. Understand what you are actually covered for before assuming anything.

Book a cyber insurance readiness review with us. Contact us on 1300 EPIC IT. We will produce the documentation your broker needs to negotiate the best available terms at your next renewal.

Frequently asked questions

How much does cyber insurance cost for an AU SMB in 2026?

For a typical 50-person Perth SMB with reasonable cybersecurity controls, $1-2 million in coverage costs approximately $5,000-12,000 per year. Premiums vary substantially based on industry, controls maturity, claims history, and turnover. Businesses without framework alignment or with weak controls pay materially more or face declined renewals.

What is the most important cybersecurity control for cyber insurance?

Multi-factor authentication on every account, particularly email and remote access. Most ransomware claims trace to credential compromise that MFA would have prevented. Insurers treat MFA as a near-mandatory baseline; missing MFA on any significant system typically results in declined or sublimited coverage.

Does SMB1001 or Essential 8 reduce cyber insurance premiums?

Often yes. Demonstrable framework alignment typically reduces premiums by 15-25% at renewal compared to self-attestation alone. Underwriters value concrete evidence of controls and tested processes. The exact reduction depends on insurer, broker negotiation, and the specifics of the framework alignment.

What does cyber insurance NOT cover in 2026?

Common exclusions include ransomware payments (or low sublimits), incidents involving unsupported operating systems, incidents involving credentials shared between users, social engineering above a sublimit, business interruption beyond 30-60 days, and incidents where the controls described on the application were misrepresented. Read your policy wording for the specifics.

How long does cyber insurance readiness preparation take?

Allow 2-3 weeks to produce the documented controls inventory, gap analysis, and framework alignment evidence. Allow another 1-3 months to close any material gaps before renewal. For businesses six months out from renewal, this is comfortably achievable. For businesses one month out, the focus shifts to documenting current state accurately rather than improving it.

Renewing cyber insurance soon? Get a readiness review.

Our Perth-based team will produce the controls inventory and framework evidence your broker needs to negotiate the best available terms. No obligation.

Book a Readiness Review

About the Author
Written by Greg Markowski, Founding Director of Epic IT, a CRN Fast50-recognised Microsoft Solutions Partner managing IT and cybersecurity for Perth businesses since 2003. Greg holds a Degree in Computer Science and a Diploma in Computer Systems Engineering from Edith Cowan University, and is ITIL certified.

Further Reading

Previous

AI model risk: when your forecasting model becomes AI

Return to News
Back to News
Next

Privacy Act 2026: 12 things every Australian SMB needs to do