Blog

Cyber Insurance: What Your Policy Actually Requires

Cyber insurance has evolved from a nice-to-have into an essential business protection, but many organisations are surprised to discover their policies come with specific technical requirements. Think of it like car insurance requiring working brakes — insurers now mandate certain security measures before they’ll provide coverage.

Multi-Factor Authentication is Non-Negotiable

Nearly every cyber insurance policy now requires multi-factor authentication (MFA) on all administrative accounts and, increasingly, for all users. This isn’t just a checkbox exercise — insurers are checking that MFA is properly configured and actively monitored. If a breach occurs and MFA wasn’t in place, you might find your claim denied.

Backup and Recovery Requirements

The days of simple daily backups are gone. Modern policies typically require:

• Automated, tested backups stored offline or in immutable storage
• Regular recovery testing (not just backup testing)
• Documentation of your backup and recovery procedures
• Specific retention periods, often 30-90 days minimum

The key word here is “tested” — insurers want proof that your backups actually work when you need them most.

Endpoint Detection and Response

Traditional antivirus software no longer cuts it. Most insurers now require endpoint detection and response (EDR) solutions that can monitor, detect, and respond to threats in real-time. This includes ensuring all devices — including remote workers’ equipment — are properly protected and monitored.

Vulnerability Management

Insurers expect organisations to maintain current security patches and have documented procedures for managing vulnerabilities. This typically means:

• Regular vulnerability scanning
• Documented patch management processes
• Evidence of timely updates to critical systems
• Risk assessments for any delayed patches

Security Awareness Training

Human error remains the weakest link in cybersecurity, so insurers increasingly require regular, documented security awareness training for all staff. This isn’t a one-off induction session — it needs to be ongoing, measurable, and include phishing simulation exercises.

Incident Response Planning

Having a documented, tested incident response plan is becoming standard. Insurers want to see that you’ve thought through how you’ll respond to a breach, including communication procedures, legal requirements, and technical containment measures. Some policies even require annual tabletop exercises.

The Fine Print Matters

What’s particularly important is understanding that these aren’t just requirements for getting coverage — they’re conditions for maintaining it. Insurers can audit your compliance at any time, and failure to meet requirements could void your policy when you need it most.

Recent incidents across Australia and New Zealand have shown insurers taking a much harder line on policy compliance. Claims are being scrutinised more carefully, with technical requirements forming a key part of the assessment process.

The good news is that these requirements aren’t arbitrary — they represent genuine best practices that will significantly improve your security posture. Meeting them doesn’t just satisfy your insurer; it makes your organisation genuinely more secure.

If you’re reviewing your cyber insurance policy or wondering how your current security measures stack up against these requirements, our team is always happy to help you navigate the technical landscape.

Simon Falconer
Director, Resolve Technology
When he’s not finding a reason to buy the latest gadget, Simon is probably setting it up, breaking it, and fixing it again — all before breakfast.