โ† Back to oday.com.au
0day ยท oday.com.au

Cyber Insurance Readiness
Checklist for Australian SMBs

Audience: Australian SMBs seeking cyber insurance Version: 2025 Contact: hello@oday.com.au
Why this checklist matters: Australian cyber insurers have significantly tightened underwriting requirements since 2022. Many SMBs are refused cover โ€” or pay much higher premiums โ€” because they lack basic controls. This checklist covers the controls insurers consistently ask about. Tick everything you can before applying.
Must Have โ€” Most insurers require this
Should Have โ€” Expected at standard cover
Nice to Have โ€” Reduces premium

1. Multi-Factor Authentication (MFA)

MFA is enabled on all email accounts (especially Microsoft 365 / Google Workspace)
Business email compromise (BEC) is the #1 cyber insurance claim in Australia. Email MFA is non-negotiable.
MUST
MFA is enabled for all remote access (VPN, RDP, cloud systems)
MUST
MFA is enabled for all admin / privileged accounts
MUST
MFA is enabled for all user-facing SaaS applications (Xero, MYOB, CRM, etc.)
SHOULD
Hardware tokens or phishing-resistant MFA used for finance / executive accounts
NICE
Current state / gaps:

2. Backups & Recovery

Automated daily backups of all critical business data
MUST
Backups stored offline or in a separate environment (not connected to main network)
Ransomware will encrypt your backups if they're connected. Insurers specifically ask about this.
MUST
Backups tested and verified at least quarterly (can you actually restore?)
MUST
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented
SHOULD
Full disaster recovery test performed in the last 12 months
NICE
Current state / gaps:

3. Endpoint Protection & Patching

Endpoint detection and response (EDR) or advanced antivirus on all devices
Windows Defender (fully enabled) is acceptable for small businesses. CrowdStrike or SentinelOne preferred.
MUST
Operating systems patched within 30 days of update release (14 days for critical)
MUST
No end-of-life operating systems in use (Windows 7, Server 2012, etc.)
MUST
All business software kept up to date with security patches
SHOULD
Mobile device management (MDM) for business mobile devices
SHOULD
Current state / gaps:

4. Access Control & Privilege Management

Principle of least privilege: staff only have access to what they need
MUST
Admin accounts are separate from standard user accounts
MUST
Access is revoked immediately when staff leave
Insurers will ask about offboarding procedures. Have a documented process.
MUST
Shared / generic accounts eliminated (each user has their own login)
SHOULD
Password manager in use for the organisation
SHOULD
Current state / gaps:

5. Email Security

SPF, DKIM, and DMARC configured for your email domain
These prevent email spoofing. Your IT provider can verify. Check at mxtoolbox.com/dmarc.
MUST
Email filtering / anti-spam solution in place
MUST
Staff trained to identify phishing emails (at least annually)
SHOULD
Payment request or account change emails require verbal confirmation
BEC scams involve fake invoices. A simple phone verification policy prevents most losses.
SHOULD
Current state / gaps:

6. Incident Response Preparedness

A documented incident response plan exists
SHOULD
You know your insurer's claims notification window (24โ€“72 hours is common)
Filing late can void your claim. Know your policy's notification requirement before an incident.
MUST
Key contacts (IT, legal, IR firm) are documented and accessible offline
SHOULD
Tabletop incident response exercise conducted in last 12 months
NICE

7. Australian Regulatory Compliance

๐Ÿ‡ฆ๐Ÿ‡บ Insurers writing cyber policies for Australian businesses will ask about compliance with the Privacy Act 1988 and Notifiable Data Breaches (NDB) scheme. If you hold personal information, you must have a process for identifying and reporting breaches to the OAIC.
Privacy Policy published on your website that reflects actual data practices
MUST
Process in place to detect and assess whether a data breach triggers NDB notification
MUST
Personal data inventory โ€” you know what PII you hold and where
SHOULD
Data retention policy โ€” PII not retained longer than necessary
SHOULD

Summary Scorecard

CategoryItems CompletedItems OutstandingPriority
MFA
Backups & Recovery
Endpoint Protection
Access Control
Email Security
Incident Response
Regulatory Compliance
โœ… Ready to apply for cyber insurance? Share this completed checklist with your broker to demonstrate your security posture. Need help implementing these controls? Contact Oday: hello@oday.com.au ยท 0420 277 414
0day Cybersecurity โ€” oday.com.au
hello@oday.com.au ยท 0420 277 414
Free resource for Australian SMBs
Not insurance or legal advice โ€” consult your broker.