Got your cyber insurance renewal notice recently? Yeah, I’ve heard the stories. Premium increases of 50%, 100%, even 200%. Some businesses are being told they’re uninsurable altogether.

It’s brutal. And it’s not going to get better unless you understand what’s actually happening.

What’s Driving These Increases?

The simple answer: insurers are losing money on cyber policies, and they’ve been losing money for years.

Here’s the maths. In 2023, the average ransomware payout globally was over $1.5 million USD. In Australia, we’ve seen attacks on major businesses and critical infrastructure making headlines monthly. Medibank. Optus. Latitude Financial. These aren’t one-off events anymore - they’re the new normal.

But here’s the kicker for small businesses: attackers have figured out that hitting ten companies for $100,000 each is easier than hitting one company for $1 million. Less security to bypass, less attention from law enforcement, and victims are more likely to pay quickly just to get back to business.

Insurers aren’t stupid. They’ve adjusted their models, and the result is what you’re seeing in your inbox.

The Questions Your Insurer Is Asking Now

If you’ve applied for cyber insurance recently, you’ve probably noticed the questionnaires have gotten longer. Much longer.

Here are some of the questions that can make or break your premium:

Multi-factor authentication: Do you use MFA for email access? Remote access? Admin accounts? If you answer “no” to any of these, expect your premium to jump - or expect to be declined outright.

Backup practices: Are backups stored offline or in a separate network? How often do you test restores? Insurers have learned that companies with poor backup practices are much more likely to pay ransoms.

Endpoint detection and response (EDR): Do you have proper endpoint protection, or just basic antivirus? Basic antivirus doesn’t cut it anymore.

Patch management: How quickly do you apply security patches? Monthly? Weekly? “When we get around to it”? That last answer will cost you.

Employee training: Do you run phishing simulations? Security awareness training? People are still the weakest link, and insurers know it.

Essential Eight compliance: Some Australian insurers are now specifically asking about your Essential Eight maturity level. This isn’t a coincidence.

What You Can Actually Do

Right, so premiums are up and requirements are tighter. What now?

1. Get your MFA sorted before renewal. Seriously. This is the single biggest factor I see affecting premiums. If you’ve got Microsoft 365, you can enable MFA for free through the admin portal. Do it this week.

2. Document everything. Insurers don’t just want you to have security controls - they want evidence. Keep records of your backup tests, training sessions, and patch schedules. A folder of screenshots and logs can save you thousands.

3. Consider a security assessment. A formal assessment from a qualified firm gives you a report you can show insurers. It demonstrates you’re taking this seriously, which can help negotiate better terms.

4. Shop around (with the same answers). Different insurers have different appetites for risk. What gets you declined at one company might get you covered at another. Use a broker who specialises in cyber insurance - they’ll know which markets to approach.

5. Increase your excess. If you’re willing to accept a higher deductible, you can often reduce your premium significantly. Just make sure you can actually afford that excess if something happens.

The Uncomfortable Truth

Here’s something most articles won’t tell you: for some small businesses, cyber insurance might not be worth it anymore.

I’m not saying that lightly. But if your premium is $20,000 and your coverage is $100,000 with a $25,000 excess, you need to do some honest maths about whether that makes sense for your business.

Some alternatives to consider:

• Self-insurance: Put the premium money into a dedicated incident response fund. You won’t have coverage, but you’ll have cash when you need it.

• Focus on prevention: The money you’d spend on premiums might be better spent on actual security improvements that reduce your risk.

• Partial coverage: Maybe you don’t need $1 million in coverage. A smaller policy for breach notification costs and basic incident response might be more affordable.

I’m not recommending you go uninsured - the risks are real. But I am saying you should think critically about what you’re actually getting for your money.

Looking Ahead

The cyber insurance market is still figuring itself out. Actuaries are building better models, and some insurers are getting more sophisticated about distinguishing between well-protected businesses and easy targets.

This creates an opportunity: if you can demonstrate that you’re genuinely better protected than the average business in your industry, you might be able to negotiate better terms than your competitors.

The ACSC’s Essential Eight framework is becoming the de facto standard that Australian insurers use to assess risk. Getting to Maturity Level One won’t just improve your security - it’ll give you something concrete to show insurers at renewal time.

Is it fair that small businesses have to jump through all these hoops? Probably not. But it’s the reality we’re dealing with. The businesses that adapt will survive and thrive. The ones that complain without acting will keep paying through the nose - or find themselves uninsured when they need coverage most.

Your call.