Pre-claim readiness
Australian SMBs are buying cyber liability cover faster than they are buying technical security work. Brokers are selling the policies hard. The policies have prerequisites: MFA enforcement, patching cadence, isolated backups, privileged access controls, and often an independent security assessment within a defined window. When the incident hits and the claim adjuster reads the evidence, the claim gets denied because one or more prerequisites were not met. The policy you thought you had does not respond. This page describes what insurers actually require, and how Cyber Node validates whether your environment meets the bar before you find out the hard way.
The prerequisite gap
Cyber insurance underwriters do not write blank cheques. They underwrite on the basis of the controls a buyer attests to having in place. Those controls appear in the policy schedule as conditions, often phrased in language that looks reassuring (“industry-standard MFA”, “timely patching”, “regular backups”) but which a claim adjuster will interpret strictly after an incident.
The pattern Australian SMBs run into is consistent. The policy is purchased on the basis of an attestation form filled out at the broker’s prompting. The prerequisites are not technically validated at purchase. The first time anyone checks whether they actually held up is during a claim review, when the answer matters most.
This is fixable. The prerequisites map cleanly to the ASD Essential Eight, an Australian-specific maturity model that already defines what each control should look like. Cyber Node validates whether your environment meets the bar, produces the evidence pack the insurer expects, and gives you a remediation roadmap for the gaps.
What insurers actually require
The exact wording varies by policy, but the underwriting logic across Australian cyber insurance products in 2026 converges on six technical control categories, plus an increasingly common requirement for an independent assessment. Here is how each maps to the Essential Eight, and what Cyber Node validates.
// MFA
Insurer requires: Enforced on all admin accounts and remote access. Many policies extend this to all email accounts.
Essential Eight: Mitigation 7. ML1 baseline; ML2 for phishing-resistant factors.
Cyber Node validates: Test MFA bypass paths, identify phishable factors (SMS, push fatigue), check coverage gaps in admin and SSO.
// Patching
Insurer requires: Critical patches applied within 14 to 30 days. End-of-life software replaced or contained.
Essential Eight: Mitigations 2 (Patch applications) and 6 (Patch operating systems).
Cyber Node validates: Scan perimeter and internal services for known CVEs. Cross-reference against vendor patching SLAs. Flag the gap between claim and reality.
// Backups
Insurer requires: Backups isolated from production, tested for restore, and out of reach of a compromised admin account.
Essential Eight: Mitigation 8. ML2 requires that backups be isolated from production and that restore is tested.
Cyber Node validates: Test whether a compromised admin can reach, encrypt, or delete the backups. Verify restore tests are actually run.
// Privileged access
Insurer requires: Tiered admin model. No shared accounts. Privileged access workstations or equivalent separation.
Essential Eight: Mitigation 5. ML1 baseline; ML2 introduces the tiered model.
Cyber Node validates: Identify privileged accounts, day-to-day separation, attempt privilege escalation from a standard user account where in scope.
// Application control
Insurer requires: Endpoint controls preventing unauthorised executables. EDR deployed and monitored.
Essential Eight: Mitigation 1. ML2 introduces application control on workstations; ML3 extends to servers.
Cyber Node validates: Test whether unauthorised executables actually fail to run. Verify the bypass techniques known to work in the wild do not succeed here.
// Macro hardening
Insurer requires: Office macros disabled by default or restricted to signed-only.
Essential Eight: Mitigation 3. ML1 baseline.
Cyber Node validates: Validate macro execution policy against ACSC guidance. Attempt delivery of test payloads via common phishing vectors. Measure actual outcome, not GPO setting.
Beyond the Essential Eight, modern cyber policies increasingly require email authentication (SPF, DKIM, DMARC), a tested incident response plan, and an independent technical security assessment within a defined window. All three sit inside the same readiness assessment.
Three claim-denial scenarios
The attestation form said MFA was enforced. In practice, the legacy admin account used by the IT vendor for after-hours support was exempted three years ago and never re-enrolled. That is the account the attacker used. The claim adjuster reads the evidence pack, finds the exempted account, and denies the claim on prerequisite breach.
The policy required critical patches within 30 days. The compromised server was running a CVE published 47 days before the incident. The claim adjuster cross-references the CVE date against the vendor patching log and finds the SLA breach. The position the insurer takes is that the underwriting decision was based on the SLA being met. Claim denied.
The buyer believed backups were isolated because they were stored in a separate cloud account. In practice, the production admin role had write access to the backup bucket. The ransomware operator used that role to encrypt the backups before deploying the payload. Restore failed. The claim adjuster reads the evidence and notes that the prerequisite (backups beyond reach of a compromised admin) was not met. Claim reduced or denied.
The 2-day Essential Eight gap assessment
A fixed-price 2-day technical engagement validating whether the eight ASD Essential Eight mitigations actually hold up in your environment, mapped explicitly to the prerequisites in your cyber insurance policy schedule.
On-site or remote, depending on scope. Cyber Node validates each of the eight mitigations against your claimed maturity level (ML1 or ML2). Application control tested with real bypass techniques. Patching cross-referenced against vendor SLAs. Backups tested for attacker reach. Privileged access tested for escalation. The full Essential Eight, technically.
Findings written up in a format that maps each control directly to your insurer’s prerequisite language. Evidence per control: what we tested, what we found, where the gaps are, and what closing the gap requires. Output is a formal assessment report plus an evidence pack you can submit at renewal.
An assessment report (typically 25 to 40 pages), an evidence pack formatted for the underwriter, a remediation roadmap with priority order and effort estimates, and a coordination call with your broker or underwriter if requested.
Fixed-price. The price is set in the scoping call once we understand the size of the environment. There are no hourly meters, no out-of-scope upsells halfway through, and no padded executive summary that does not say anything specific. Email sales@cybernode.au to scope.
Common questions
Almost certainly yes. Australian cyber insurance policies issued from 2023 onward typically require enforced MFA, defined patching cadence, isolated and tested backups, privileged access controls, and increasingly an independent security assessment within a defined window. The conditions are in the policy schedule. Many brokers do not walk buyers through them at point of sale.
The claim adjuster reviews evidence after the incident and identifies the gap. If a required control was not implemented at the time of the incident, the insurer can deny the claim or reduce the payout. The policy you thought you had does not respond. The position the insurer takes is that the underwriting decision was based on the prerequisites being in place.
SOC 2 and ISO 27001 are formal third-party attestation frameworks that take months and require an independent CPA firm or accredited certification body. The Essential Eight readiness assessment is a 2-day technical check sized for cyber insurance underwriting. Different scope, different cost, different evidence. See the full compliance hub.
Yes for the technical-validation prerequisite that most policies include. Cyber Node’s report is formatted to match what underwriters and claim adjusters expect: scope, methodology, evidence per finding, and remediation status. We coordinate with your broker if useful.
No. The readiness assessment is technical validation of the eight Essential Eight mitigations, not a penetration test against an application. If your insurer also requires a penetration test as a separate prerequisite, that is a different engagement. How a real pen test differs from a scan.