TL;DR

  • Cyber insurance premiums have increased 50-100% since 2022 according to Marsh McLennan's Global Insurance Market Index, and application requirements have tightened significantly. Controls that were "nice to have" in 2022 are now mandatory in 2026.
  • 73% of cyber insurance applications now require a documented incident response plan and most require evidence of MFA deployment, endpoint protection, backup testing, and employee training (Marsh McLennan, 2024).
  • Businesses with mature security controls receive 15-30% premium discounts from leading cyber insurers. Your security investment directly translates to lower insurance costs.
  • A structured security program pays for itself through premium reductions, reduced claim likelihood, and faster recovery when incidents occur.

The Cyber Insurance Landscape Has Changed

If you applied for cyber insurance before 2022, the process was relatively simple. Fill out a questionnaire, pay a premium, get coverage. Today, the process resembles a security audit.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​​‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The transformation is driven by economics: cyber insurance claims have skyrocketed. According to Marsh McLennan's Global Insurance Market Index, the average cyber insurance claim exceeded $100,000 in 2024, with ranso

mware-related claims averaging significantly higher. Insurers responded by tightening underwriting criteria, increasing premiums, and in some cases refusing to cover businesses that don't meet minimum security standards.

For SMBs, this creates a catch-22: you need insurance because you're vulnerable, but insurers increasingly require the same controls that would make you less vulnerable in the first place. The good news is that building these controls isn't as expensive or complex as you might think — and the investment pays for itself through reduced premiums.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​​‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Controls Insurers Now Require

Based on analysis of application forms from major cyber insurance providers in Australia, the US, and the UK, here are the controls that most insurers now evaluate:

Tier 1: Mandatory (Will Be Declined Without These)

Multi-Factor Authentication (MFA) Every major cyber insurer now requires MFA on: email accounts, remote access (VPN, RDP), privileged/admin accounts, and cloud services (Microsoft 365, Google Workspace). Microsoft reports that MFA blocks 99.9% of account compromise attacks. If you're not using MFA, you will either be declined coverage or face significantly higher premiums.

Endpoint Detection and Response (EDR) Traditional antivirus is no longer sufficient. Insurers want EDR solutions (CrowdStrike, SentinelOne, Microsoft Defender for Business) that provide real-time threat detection, behavioural analysis, and incident response capabilities. Basic antivirus will result in coverage exclusions.

Regular Backups with Offline/Air-Gapped Copies Insurers specifically ask whether backups are stored offline or air-gapped (disconnected from the network). This is because modern ransomware actively targets connected backup systems. You need to demonstrate that your backups are: performed regularly (at least daily), stored in a location inaccessible to ransomware, and tested periodically to verify recoverability.

Tier 2: Expected (Premium Impact)

Documented Incident Response Plan According to Marsh McLennan, 73% of cyber insurance applications now ask about incident response plans. Having a documented, tested IRP demonstrates preparedness and directly reduces your premium. Insurers want to see: defined roles and responsibilities, incident classification criteria, communication templates, evidence preservation procedures, and regulatory notification workflows.

Employee Security Awareness Training Insurers recognise that human error drives most breaches. Regular security awareness training (not just annual compliance) demonstrates that you're addressing the most common attack vector. Documentation of training sessions, attendance, and phishing simulation results strengthens your application.

Patch Management Documented processes for applying security patches to operating systems, applications, and firmware. Insurers want evidence of timely patching — not just a policy that says "we patch regularly" but records showing patch compliance rates.

Email Security (DMARC/SPF/DKIM) Email-based attacks remain the primary initial access vector. Insurers increasingly ask about email authentication and filtering controls. Having DMARC configured with enforcement shows sophisticated email security.

Tier 3: Differentiators (Significant Premium Reduction)

Network Segmentation: Separating critical systems from general user networks limits lateral movement during an attack.

Privileged Access Management (PAM): Controls around admin accounts including just-in-time access, session recording, and credential vaulting.

Security Information and Event Management (SIEM): Centralised logging and alerting demonstrates proactive threat detection.

Regular Penetration Testing: Annual third-party security testing shows commitment to identifying and fixing vulnerabilities.

How to Lower Your Premium by 15-30%

Security investments have a direct and measurable impact on cyber insurance premiums. Here's how to maximise the return:

1. Demonstrate MFA Everywhere

If MFA is deployed on email but not remote access or admin accounts, you're not getting full credit. Deploy MFA across all critical systems and document the deployment for your insurer.

2. Submit Your Incident Response Plan

Don't just answer "yes" when asked if you have an IRP. Submit the actual plan as supporting documentation. A comprehensive, well-structured IRP demonstrates maturity and reduces perceived risk. Plans that include tested tabletop exercises are valued even higher.

3. Provide Training Evidence

Submit your security awareness training calendar, attendance records, phishing simulation results, and improvement trends. A declining phishing click rate is one of the strongest signals of a security-mature organisation.

4. Get a Risk Assessment Done

A formal risk assessment (even self-conducted) that identifies, evaluates, and documents mitigation strategies for your key risks shows underwriters that you understand and are actively managing your cyber risk.

5. Implement the Security Roadmap First, Then Apply

Many SMBs apply for cyber insurance before implementing controls, resulting in higher premiums or declined applications. Spend 90 days building your security foundation, then apply. The investment in security pays for itself through reduced premiums.

Build the security program that lowers your premium. CISO-in-a-Box: 90-Day Security Roadmap includes everything insurers want to see: risk assessment framework, 12 policy templates, incident response plan, employee training program, vendor assessment checklists, and a compliance mapping matrix. Complete the program, submit the documentation with your insurance application, and watch your premium drop. $197 AUD →

The Application Checklist

Use this checklist when preparing your cyber insurance application:

  • MFA enabled on all email accounts
  • MFA enabled on remote access (VPN/RDP)
  • MFA enabled on admin/privileged accounts
  • MFA enabled on cloud services
  • EDR deployed on all endpoints
  • Daily backups with offline/air-gapped copies
  • Backup restoration tested (documented)
  • Documented incident response plan
  • Employee security awareness training (monthly/quarterly)
  • Phishing simulation program (with documented results)
  • Patch management process documented
  • Email security (DMARC/SPF/DKIM configured)
  • Network segmentation implemented
  • Privileged access controls in place
  • Risk assessment completed (current year)
  • Vendor security assessment process
  • Data classification policy
  • Acceptable use policy
  • Business continuity / disaster recovery plan

The ROI of Security Investment

Consider this scenario for a 30-person SMB:

Without security controls: Cyber insurance premium of $8,000-12,000/year with significant coverage exclusions. Higher likelihood of breach with average cost of $1.82M (Sophos, 2024).

With 90-day security program implemented: Cyber insurance premium reduced to $5,500-8,000/year (15-30% reduction). Coverage exclusions eliminated. Breach likelihood reduced significantly. Faster recovery if breach occurs (IBM reports $2.66M savings with IRP).

The net result: a one-time investment of a few hundred dollars in templates and a few hundred hours of implementation time saves $2,000-4,000/year in premiums while dramatically reducing breach risk and cost.

Frequently Asked Questions

Yes. The average cost of a data breach for small businesses ranges from $120,000 to $1.2 million (Hiscox, 2024). Cyber insurance premiums for SMBs typically range from $1,500-$12,000/year depending on size, industry, and security posture. The insurance is worth it if you handle any customer data, use email for business, or would suffer financially from operational downtime.

Typical coverage includes: incident response costs (forensics, legal, PR), business interruption losses, ransom payments (policy-dependent), regulatory fines and penalties, customer notification costs, credit monitoring for affected individuals, legal defence costs, and third-party liability. Read your specific policy carefully — exclusions vary significantly.

Increasingly, no. Most insurers now consider MFA a minimum requirement. Some will issue policies without MFA but with significant exclusions or higher premiums. Enabling MFA is free with most cloud services — there's no reason not to have it.

Work with a broker who specialises in cyber insurance. Key factors to evaluate: coverage limits (should reflect your annual revenue), sub-limits on specific coverage areas, waiting periods for business interruption claims, exclusions (especially around unpatched systems or social engineering), and the insurer's panel of incident response providers. The cheapest policy is rarely the best value.

It depends on your policy. Many policies cover ransom payments, but may exclude payments to sanctioned entities (OFAC/DFAT sanctioned groups). Some policies require insurer approval before payment. Always check your specific policy terms and involve your insurer before making any payment decisions.

Monster helps SMBs build security programs that qualify for better cyber insurance terms. CISO-in-a-Box includes a Cyber Insurance Readiness Kit with pre-filled answers to the 40 most common application questions. $197 AUD →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation