Resources

Home / Resources / What Are Cyber Insurers Really Looking For in 2026?
What Are Cyber Insurers Really Looking For in 2026?

What Are Cyber Insurers Really Looking For in 2026?

on
What Are Cyber Insurers Really Looking For in 2026?

While we hate to be the bearers of bad news, it’s impossible to deny that getting cyber insurance in 2026 isn’t as easy as it used to be.
To get covered for a reasonable premium in 2026, you’ll need to show comprehensive evidence of security maturity, and you’ll need to take extra care to tick all the right boxes.

In this article, we’ll show you what cyber security insurers are asking for right now, and how you can get ready to be approved.

First, let’s look at what’s changed and why things are tougher than they used to be.

Why insurers got pickier

So why are cyber insurers demanding more than they used to?

A main reason here is simply that volumes and costs have surged. Medium-sized businesses in Australia have seen a 55% year-on-year increase in the self-reported cost of cyber incidents, and average costs are now around $100,000. Insurers have responded to this with stricter requirements.

At the same time, the cyber insurance market is booming. Valued at $16 to $20 billion (USD) in 2025, it’s expected to hit $30-$50 by 2030, with Asia-Pacific seeing the highest growth.

This has led to a curious situation. If your business is prepared and secure, you can get excellent terms. But for everyone else, it’s harder than it used to be.

What underwriters actually care about

So what do insurers actually want to see from you?

There’s been a bit of a shift here. Instead of simply asking if you have security controls in place, underwriters now want to see concrete proof of this.

Here’s what you’ll need, as a bare minimum:

  • MFA across all remote access (not just email)
  • Managed Detection and Response (MDR) tools
  • Immutable backups with tested recovery
  • Structured patch management

This is your starting point. On top of that, insurers now care a lot more about human vulnerability. Business email compromise (BEC), for instance, accounted for 58% of all claims globally in 2025, and 71% of all funds transfer fraud claims were a direct result of social engineering.

That means insurers want to see clear evidence of staff training and a documented, structured approach to building awareness of these threats.

Finally, insurers want proactiveness. You need to show them that you have plans in place before things go wrong, and you won’t be flailing around reactively in the event of an attack. In practice, that means documented Incident Response plans, tested business continuity procedures, and clear escalation paths.

The good news

Right now, the Australian cyber insurance market is actually pretty good for businesses that have done the work.

As Gallagher notes, “While buyer-friendly conditions persist with slight premium reductions expected, outcomes remain highly dependent on the security controls, governance and cyber strategies implemented by organisations.”

In other words, invest in your security posture (which you should be doing anyway) and you’re in a great position to get insured.

If you want help assessing and improving your security before the next renewal comes around, get in touch with Aryon.

Share this Article!