Does cyber insurance cover ransomware?

Most cyber insurance policies include some form of ransomware coverage, typically covering ransom payments, incident response costs, and business interruption losses. However, coverage often depends on whether you had adequate security controls in place at the time of the attack. If an insurer finds your systems were unpatched, that MFA was not enabled, or that you had known vulnerabilities you hadn't addressed, they may reduce or deny the claim. The exact conditions vary significantly between insurers and policies.

What security controls do insurers require in Australia?

Australian cyber insurers are increasingly asking about multi-factor authentication (MFA) across all remote access and email, endpoint detection and response (EDR) tools, tested and offline backups, a documented incident response plan, and email filtering controls. Many are also asking specifically about Essential Eight maturity levels, particularly for businesses operating in defence, healthcare, government, or financial services supply chains.

How does Essential Eight compliance affect cyber insurance?

Demonstrating progress against the ACSC Essential Eight framework can positively affect both your ability to obtain cyber insurance and the premium you pay. Insurers view Essential Eight maturity as evidence of a structured approach to risk reduction. Businesses at Maturity Level 1 or above tend to be viewed more favourably than those with no documented baseline. Some insurers now ask about specific Essential Eight controls directly in their underwriting questionnaires.

Cyber Insurance in Adelaide: What It Covers, What It Doesn't

Two years ago, cyber insurance was still something most Adelaide SMEs viewed as a nice-to-have for larger organisations. That's changed. A combination of rising claim frequency, high-profile Australian breaches, and updated Privacy Act obligations has pushed cyber insurance from optional to expected in most commercial relationships. If you're approaching a contract renewal, tendering for government work, or just doing a proper risk review, you're going to need to have an answer ready.

This isn't a guide to picking a policy. I'm not a broker. What I can tell you is what we see when clients go through the underwriting process, what tends to cause problems, and what you can do before you apply to put yourself in a stronger position.

What a standard policy covers

Cyber insurance policies vary between insurers, but a well-structured policy for an SA business should cover:

Incident response costs — forensic investigation, containment, and recovery. This is often the largest cost in a breach and includes the specialist firms you'd need to bring in.
Legal and regulatory costs — advice following a notifiable data breach, defence costs if you face regulatory action from the OAIC or ASIC, and fines where they are insurable under Australian law.
Business interruption — lost revenue and extra costs incurred while your systems are unavailable. Sub-limits and waiting periods apply here, so read the detail carefully.
Ransomware payments and negotiation — most policies now include this, but ransomware coverage is increasingly subject to sub-limits and conditions around what controls you had in place.
Notification costs — the cost of notifying affected individuals under the Notifiable Data Breaches scheme, including postage, credit monitoring services, and call centre setup.
PR and crisis communications — some policies include media management costs to protect your reputation after a public incident.

What it typically won't cover

The exclusions are where most businesses get a surprise. Underwriters have tightened considerably after a bad run of claims globally, and there are several areas where you should not assume you're covered without checking.

Pre-existing vulnerabilities. If you were already compromised at policy inception, or if an attacker exploited a vulnerability that had been publicly known for months and you hadn't patched it, expect a coverage dispute.
Acts of war and nation-state attacks. This exclusion is increasingly contentious. The NotPetya litigation demonstrated that insurers will attempt to invoke it. Some policies now offer explicit coverage for state-attributed attacks; most don't.
Insider threats. Deliberate acts by employees are typically excluded unless you have the right endorsement.
Poor patching practices. If the underwriting questionnaire asked whether you patch critical vulnerabilities within a specific timeframe and you said yes, but your actual practice didn't match that, the claim may be denied. This is a fraud issue, not just a coverage issue.
Social engineering without specific cover. Funds transfer fraud — where an employee is tricked into paying a fraudulent invoice — is often excluded from a base policy and requires a separate crime or social engineering endorsement.

The underwriting questionnaire is now a security assessment

This is the part most businesses underestimate. When you apply for cyber insurance, you'll fill out a questionnaire asking about your security controls — multi-factor authentication, patching cadence, backup procedures, endpoint protection, privileged access management, and more. The answers you give directly determine your premium and whether you're offered cover at all.

What's changed in the last few years is that insurers are increasingly using external scanning and validation to verify what you've told them. Some will check whether MFA is enforced on your email environment before binding cover. Others check your patch posture against public vulnerability databases.

The practical implication: if you don't actually have the controls you're about to claim you have, fix that before you apply. Not because of the ethics of it (though that too), but because misrepresentation voids the policy at exactly the moment you need it.

How your security posture affects your premium

Insurers use actuarial data, and the data is consistent: organisations with documented, audited security programs have lower claim frequency and lower claim severity. That translates directly to pricing.

The two frameworks that carry the most weight with Australian insurers right now are the ACSC Essential Eight and ISO 27001.

Essential Eight at Maturity Level 1 covers the baseline controls most commonly exploited in insurance claims: application control, patching of applications and operating systems, disabling macros, restricting admin privileges, and regular backups. Getting to Level 1 before your renewal is achievable for most SA businesses within a few months and will produce a measurable difference in how underwriters assess your application. Level 2 gives you more, and some insurers are starting to price Level 2 explicitly.

ISO 27001 certification carries more weight still, because it involves a third-party audit. A certified organisation has demonstrated to an accredited certification body that its information security management system meets the standard — and insurers treat that differently to self-reported controls. We've seen clients with ISO 27001 achieve premium reductions of 15–30% compared to equivalent organisations without the certification. It's not the only factor, but it's a significant one. If your business handles sensitive data at scale or operates in a regulated sector, the business case for ISO 27001 increasingly includes insurance cost reduction as a concrete line item.

Questions worth asking your insurer or broker

Before you sign anything, get specific answers to these:

Does the policy explicitly cover ransomware payments, and what is the sub-limit?
What is the definition of "act of war" in this policy, and have you had claims declined on that basis?
Is social engineering / funds transfer fraud covered under this policy or excluded?
What controls are you assuming I have in place, and where is that documented?
What is the waiting period on the business interruption coverage?
Do you validate the security questionnaire responses independently before or after a claim?

A broker who specialises in cyber risk is worth the cost here. General insurance brokers often don't have the depth in this product category to catch the coverage gaps that matter most.

Practical steps before you apply

If your renewal is coming up or you're taking out cyber insurance for the first time, here's where to start.

Get an Essential Eight maturity assessment done before you fill out the underwriting questionnaire. It gives you an honest baseline, surfaces the gaps that underwriters will ask about, and gives you a documented remediation plan if you're not yet where you need to be. Most assessments take a few days for an SME and cost a fraction of what a single year's premium will run.

Make sure your backups are tested and offline. Insurers specifically ask about this because ransomware actors target backup systems first. Having backups that haven't been tested in 12 months is both a security problem and an insurance problem.

Enforce MFA on email and remote access. This is the single most commonly asked-about control in cyber insurance questionnaires. If it's not in place, you will either be declined, rated up significantly, or told to implement it before cover is bound.

Document what you have. Insurers are more comfortable with businesses that can show written policies and procedures, even basic ones. It's evidence that security isn't just ad hoc.

Our cyber security team works with SA businesses at all stages of this process — from initial maturity assessments through to preparing the documentation that makes the underwriting process straightforward. If you're heading into a renewal and want to understand where you actually stand, that's a sensible place to start.

Frequently asked questions

Is cyber insurance mandatory in Australia?

Cyber insurance is not legally mandatory in Australia for most industries, though some regulated sectors and government contract requirements are starting to specify it. Despite not being mandated, many businesses are finding that clients, lenders, and tender processes now expect it. The practical reality is that the cost of a breach without insurance — incident response, legal fees, notification obligations, regulatory fines — makes it a commercial necessity for most businesses holding personal or sensitive data.

What does cyber insurance actually pay for?

A standard cyber insurance policy typically covers incident response costs (including forensic investigation), legal and regulatory costs, business interruption losses, ransomware payments and negotiation, customer notification and credit monitoring, and PR costs. What it generally does not cover includes pre-existing vulnerabilities that the insurer wasn't told about, losses attributed to insider threats, events classified as acts of war or nation-state attacks, and situations where basic security controls weren't in place at the time of the incident.

How does ISO 27001 or Essential Eight affect my cyber insurance?

Both frameworks directly influence your premiums and whether underwriters will offer you cover at all. Insurers have access to actuarial data showing that organisations with documented security programs have lower claim frequency and severity. ISO 27001 certification, which requires a third-party audit, gives underwriters strong confidence in your controls and typically produces measurable premium reductions. Essential Eight at Maturity Level 1 or above demonstrates baseline controls around patching, application control, and access management — the categories most frequently exploited in claims. If you're heading into an insurance renewal, getting your Essential Eight maturity assessed first gives you concrete evidence to present.

How much does cyber insurance cost for an SA business?

Premiums vary considerably based on revenue, industry, data types held, and security posture. A small SA business turning over $2–5M might expect to pay $2,000–$6,000 annually for a $1M limit policy, while mid-market businesses in regulated sectors (healthcare, finance, legal) will pay significantly more. The underwriting questionnaire you fill out is the single biggest driver of your quoted premium — honest, complete answers backed by demonstrable controls will produce better outcomes than vague or optimistic responses.

Cyber insurance for Adelaide businesses. What it covers, and what it won't.