There is a conversation happening in Australian boardrooms that has become almost ritual. The CFO confirms that cyber insurance has been renewed. The premium has increased — again — but the coverage is in place. The Board notes it. The risk register is updated. Everyone breathes a little easier.
What is not discussed, because most organisations have never looked closely enough to know it, is that the policy they are paying for is conditional on a standard of security practice that most Australian SMEs do not meet. The conditions are buried in the fine print. They are specific, measurable, and ruthlessly enforced when a claim is lodged. And when ransomware hits — which is when the policy is supposed to matter most — the insurer’s first action is not to process the claim. It is to audit the organisation’s security posture at the time of the incident and determine whether the conditions precedent were satisfied.
For a significant proportion of Australian organisations that have experienced ransomware, the answer has been no. The claim has been denied or dramatically reduced. The premium that was supposed to transfer the risk has instead transferred the organisation’s money to an insurer that will not be paying it back.
What You Need to Understand Before Your Next Renewal
- Cyber insurance policies contain conditions precedent — security controls that must be in place at the time of a claim. If they are not, the claim can be voided entirely
- Insurers have significantly hardened their underwriting standards since 2020 — policies written two or three years ago may have conditions that were not in earlier versions
- The most common grounds for claim denial include absence of multi-factor authentication, inadequate backup practices, and failure to disclose known vulnerabilities at policy inception
- Ransomware payments themselves are increasingly excluded or sublimited in Australian cyber policies, separate from the question of whether the broader claim is valid
- The average ransomware incident in Australia costs between $1.1 million and $2.8 million when all costs are included — a denied claim at that scale is an existential event for most SMEs
How Ransomware Actually Works
Ransomware is not a single event. It is the final, visible stage of an attack that typically began weeks or months earlier. By the time files are encrypted and a ransom note appears on screens across your organisation, an attacker has already mapped your network, identified your most critical systems, located and accessed your backup infrastructure, and exfiltrated the data they intend to use as additional leverage.
The encryption event — the moment the attack becomes visible — is deliberately timed for maximum impact. Attacks are frequently triggered late on a Friday afternoon or the night before a public holiday, when IT resources are minimal, management is unavailable, and the organisation has the least capacity to respond. By Monday morning, when the full scale of the damage is understood, critical decisions about ransom payment, regulatory notification, and business continuity have already been delayed by the timing of the trigger.
Modern ransomware operators run what are effectively criminal enterprises with service desks, negotiation specialists, and sophisticated technical infrastructure. They conduct industry research on their targets before making contact. They know your revenue. They know what your industry typically pays. They have reviewed your insurance filings where accessible. The ransom demand is not arbitrary — it is calibrated.
The Conditions Your Policy Requires — And Most Organisations Cannot Satisfy
Cyber insurance policies have evolved rapidly in response to the claims experience of the past five years. What was a relatively broad product in 2019 has become a tightly conditioned one in 2026. The shift has been driven by insurer losses — the cyber insurance market experienced several years of significant losses as ransomware attacks multiplied and claims volumes overwhelmed early pricing assumptions.
The response has been to shift more of the risk back to policyholders through specific security conditions that must be maintained throughout the policy period. These are not aspirational standards. They are conditions precedent — legal terms that, if not satisfied, give the insurer grounds to void the policy at the point of claim.
Most current cyber policies require MFA to be implemented for all remote access, all privileged accounts, and all cloud-based email platforms. The condition is not limited to some accounts or most accounts — it is all. A single privileged account without MFA, a single remote access path that bypasses it, is sufficient grounds for a claim denial. Many organisations have deployed MFA for standard user email and believe the condition is satisfied. It is not. The policy language specifies privileged accounts and remote access. IT administrators, financial system accounts, and VPN access are precisely the paths an attacker exploits — and precisely the paths most often missing MFA enforcement.
Policies routinely require that backups be maintained, stored offline or in a segregated environment inaccessible from the primary network, and tested for restorability within a specified timeframe — often quarterly or biannually. The testing requirement is where most organisations fail. Backups that exist but have never been tested, or that were tested years ago, do not satisfy the condition. When a ransomware incident prompts the insurer to audit backup practices, an organisation that cannot produce documented evidence of recent successful restoration testing will find the claim contested on this basis alone, separate from any other condition.
Policy applications require disclosure of known vulnerabilities and unpatched systems at the time of inception. Organisations that were aware of significant unpatched vulnerabilities, had been notified of security weaknesses, or had outstanding audit findings at the time they took out the policy — and did not disclose them — are exposed to claims of non-disclosure. Following an incident, insurers conduct detailed forensic analysis. If that analysis reveals that the attack exploited a vulnerability that was known, or ought to have been known, at inception, non-disclosure becomes grounds for voiding coverage.
An increasing number of policies now require active endpoint detection and response (EDR) tools deployed across all endpoints. This is not traditional antivirus. EDR is a specific category of security tooling that monitors endpoint behaviour in real time. Organisations running legacy antivirus software and not an active EDR solution may find that their policy, on careful reading, requires something they do not have. The distinction between the two is not always apparent to non-specialists, which is precisely why it appears as a policy condition — it is a differentiator between organisations that have meaningfully invested in detection capability and those that have not.
The Ransomware Payment Problem
Even where a cyber insurance claim is valid and proceeds normally, the coverage for ransomware payments themselves has changed significantly. Many Australian cyber policies now either exclude ransomware payments entirely, sublimit them to a fraction of the overall policy value, or impose specific conditions on whether payment can be authorised at all.
The sublimit issue is the most common source of shock. An organisation with a $5 million cyber policy may find that ransomware payments are sublimited to $500,000 — while the demand from the attacker is $2.3 million. The policy covers a portion of the loss. The balance falls to the organisation. This is not a hypothetical scenario. It is a pattern documented repeatedly in the Australian claims experience of the past three years.
There is also the question of sanctions exposure. Australian law imposes restrictions on making payments to certain sanctioned entities. Some ransomware groups operate from jurisdictions or under designations that make payment legally problematic. An insurer that suspects a payment may breach sanctions obligations will pause the claim while legal advice is sought. The operational clock continues to run. The business continues to lose revenue. The payment authorisation that was supposed to resolve the crisis becomes a weeks-long legal process.
It is 11:47pm on a Friday. A staff member working late notices that files on the shared drive are returning errors. Within minutes, screens across the organisation begin displaying a ransom note. The encryption event has triggered.
By midnight, the IT manager has been called. By 1am, the decision has been made to shut down all systems to contain the spread. The business is now completely offline. Customer-facing systems, internal communications, financial platforms, CRM — all dark.
Saturday morning, the broker is called to notify the insurer. A forensic investigation firm is engaged — at the insurer’s direction, using one of their approved panels. The forensic team’s first question is about MFA coverage on privileged accounts. The answer is that it was implemented for standard users but not for the two IT administrator accounts used for remote access. The insurer notes this.
By Monday, the forensic investigation has identified the initial access vector — an IT administrator account accessed via VPN without MFA three weeks prior. The attacker had been inside for 22 days. They had accessed the backup server. The backups are encrypted. The last successful restoration test was 14 months ago. The insurer notes this too.
The ransom demand is $1.8 million. The policy sublimit for ransomware is $400,000. The insurer’s claims team has flagged two potential grounds for challenging coverage: the MFA condition and the backup testing requirement. The claims process is expected to take six to eight weeks. The business has been offline for four days and has no clear restoration timeline.
What the Numbers Say
Australia has one of the highest ransomware payment rates in the world. The combination of high average business revenue, strong insurance penetration, and relatively low public tolerance for data exposure creates conditions that ransomware operators have identified and are actively targeting. The volume of attacks against Australian organisations has increased materially year on year, and the sophistication of those attacks — the targeting, the timing, the dual extortion model — has kept pace with the growth in volume.
What Your Board Should Be Asking Right Now
The cyber insurance renewal conversation should not end with confirmation that the policy has been placed. It should begin a series of questions that most Boards have never asked and most management teams are not prepared to answer.
Does our current security posture actually satisfy the conditions precedent in our policy? Not approximately. Not in the view of the IT team. In the specific, documented terms that an insurer’s claims team will apply when reviewing a claim following an incident.
What is the ransomware sublimit in our policy, and how does it compare to the ransom demands currently being made in our industry and revenue bracket? If the sublimit is materially lower than the likely demand, the organisation is self-insuring the gap and may not know it.
When were our backups last tested for successful restoration, and is that evidence documented? A backup that has not been tested is not a backup. It is an assumption. The insurer will not treat it as coverage.
Do we have an incident response plan that specifies who is called, in what order, and what decisions are pre-authorised? The decisions made in the first 12 hours of a ransomware incident have a disproportionate impact on the total cost. An organisation that is making those decisions for the first time under pressure, with no pre-established authority or process, will make expensive mistakes.
The organisations that can answer these questions with documented evidence are genuinely insured. The organisations that cannot are paying premiums for protection that may not materialise when they need it most. A BlackFlag Advisory assessment identifies the specific gaps between your current security posture and the conditions your policy requires — giving you the opportunity to address them before an incident tests the policy rather than after.