Is ACSC Essential Eight required for Australian cyber insurance?

Not universally mandatory, but Australian insurers strongly recommend Essential Eight compliance and often offer discounts for higher maturity levels. The ACSC framework is highly influential in Australian underwriting.

What is APRA CPS 234 and who needs to comply?

APRA CPS 234 applies to authorised deposit-taking institutions, insurance companies, and superannuation funds. It mandates information security, operational resilience, and cyber incident reporting. If you're regulated by APRA, compliance is essential for insurance.

What are NDB scheme obligations for Australian insurers?

The Notifiable Data Breach (NDB) scheme requires Australian Privacy Act-regulated entities to notify individuals of eligible data breaches without unreasonable delay. Insurers examine your NDB compliance procedures.

What is the SOCI Act and does it affect my insurance?

The Security of Critical Infrastructure (SOCI) Act applies to critical infrastructure operators in sectors like energy, water, and telecommunications. If you operate critical infrastructure, you must comply with SOCI security and incident reporting obligations.

Australian Cyber Insurance Requirements Checklist

Why Australian insurers scrutinise security controls

The Australian cyber insurance market operates under unique regulatory frameworks including the Australian Cyber Security Centre's (ACSC) Essential Eight, the Privacy Act 1988, the Notifiable Data Breach (NDB) scheme, APRA CPS 234 (for financial entities), and the emerging Security of Critical Infrastructure (SOCI) Act. Insurers are highly selective because Australia is a target for sophisticated threat actors and the regulatory environment is rapidly evolving.

You don't need to be a major corporation, but you must demonstrate that you have controls aligned with Australian security best practice and regulatory expectations.

Essential controls (required by virtually all Australian insurers)

These are baseline expectations. Missing any will result in a declined application or severe premium penalties.

Multi-Factor Authentication (MFA)

MFA is now virtually universal among Australian carriers. It must cover:

All remote access (VPN, RDP)
Email accounts (especially admin and service accounts)
Cloud services (Microsoft 365, Google Workspace, AWS, Salesforce)
Admin consoles and privileged access
Backup and recovery systems

MFA implementation typically reduces premiums by 15–25%.

Endpoint Detection and Response (EDR)

Basic antivirus is insufficient. Australian insurers require EDR — continuous monitoring and threat response on all endpoints. Enterprise EDR solutions like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne are standard.

Email security

Email is the primary attack vector. Insurers require:

Spam filtering and anti-phishing tools
DMARC, DKIM, and SPF enforcement
Secure email gateway or cloud-based protection

Backup and recovery procedures

The 3-2-1 rule applies: 3 copies of data, on 2 different media types, with 1 copy offsite and offline. You must have tested and documented restore procedures. Immutable or air-gapped backups score extra credit.

Patch management

A documented patch management process is essential. Standard expectation: critical patches deployed within 30 days. Show your policy and deployment schedule.

Security awareness training

Annual training is insufficient. Australian insurers expect regular, documented training at least quarterly. Phishing simulations and tracking of employee responses strengthen your application.

Australian-specific regulatory requirements

Beyond baseline controls, insurers assess compliance with Australian legislation and frameworks.

ACSC Essential Eight maturity model

The Australian Cyber Security Centre (ACSC) Essential Eight framework is highly influential in Australian underwriting. The eight essential controls are:

Application whitelisting — Only approved applications can execute
Patch applications — Regular patching to address vulnerabilities
Configure Microsoft Office macro settings — Disable untrusted macros
User application hardening — Reduce attack surface (disable plugins, etc.)
Restrict administrative privileges — Limit admin access, use JIT
Patch operating systems — Regular OS patching and updates
Multi-factor authentication — MFA on all privileged access
Daily backups — Regular, tested, offline backups

Insurers typically assess your Essential Eight maturity level. Higher maturity (Level 2 or 3) qualifies for premium discounts.

Privacy Act 1988 and Notifiable Data Breach scheme

Most Australian organisations must comply with the Privacy Act. The Notifiable Data Breach (NDB) scheme requires notification of affected individuals without unreasonable delay if there's a serious possibility of serious harm. Insurers require documentation of:

Australian Privacy Principles (APPs) compliance
Privacy Policy and data handling procedures
Breach notification procedures and timeline
Vendor management and data sharing agreements

APRA CPS 234 (financial entities)

If you're an authorised deposit-taking institution, insurance company, or superannuation fund, APRA CPS 234 requires comprehensive information security, business continuity, and cyber incident reporting obligations. Insurers require documentation of:

Information Security Policy and governance
Business continuity and disaster recovery plans
Cyber incident response procedures and 72-hour reporting timeline
Third-party risk management
Regular penetration testing and vulnerability assessments

SOCI Act (critical infrastructure)

The Security of Critical Infrastructure (SOCI) Act applies to critical infrastructure operators in the energy, water, ports, and telecommunications sectors. If you operate critical infrastructure, SOCI requires:

Security and resilience assessment
System hardening and risk mitigation
Incident response capability and reporting (24-hour notification for significant incidents)
Supply chain security assessments

Important controls (expected by most Australian insurers)

Without these, you're unlikely to be declined, but they're strongly expected and will improve your premium significantly.

Privileged Access Management (PAM)

Separate admin accounts from regular user accounts. Implement just-in-time (JIT) access. Log and monitor all privileged access. This aligns with Essential Eight requirements.

Network segmentation

Don't keep everything on a flat network. Separate critical systems and limit lateral movement.

Incident response plan

A documented plan covering roles, escalation procedures, containment, communication, recovery timelines, and notification procedures (especially NDB notification for Privacy Act breaches). Test annually via tabletop exercises.

Vulnerability scanning and assessment

Regular internal and external scans. Quarterly minimum. Australian insurers may conduct their own external scans during underwriting.

Encryption

Data at rest (full-disk encryption, encrypted databases) and in transit (TLS/SSL, VPN).

Logging and monitoring

Collect logs from critical systems. SIEM or cloud-based log aggregation. Retain for at least 90 days (1+ year preferred).

Advanced controls (significant premium reduction)

24/7 Security Operations Centre (SOC) or Managed Detection and Response (MDR)
Zero trust architecture
Third-party risk management programme
Annual penetration testing
Data Loss Prevention (DLP)
Identity governance and access reviews

Australian broker application process

Step 1: Proposal form

Detailed questionnaire covering your business, employees, locations, data types, regulatory status, and security posture. Be thorough and honest.

Step 2: Compliance and security documentation

Insurers will request:

ACSC Essential Eight assessment or maturity rating
Privacy Policy and Privacy Act compliance documentation
NDB scheme readiness procedures
Incident response plan and tabletop test results
Security training records
APRA CPS 234 compliance evidence (if applicable)
SOCI Act compliance (if critical infrastructure)

Step 3: External assessment

Many Australian insurers conduct external vulnerability scans and assess your security posture against Essential Eight benchmarks.

Step 4: Underwriter discussion

Mid-market and larger accounts typically receive an underwriter call to discuss your security programme, incident history, and regulatory compliance.

Timeline

Small businesses: 2–4 weeks
Mid-market: 4–8 weeks
Enterprise: 8–12 weeks

Common reasons for declined applications in Australia

No MFA in place
No EDR deployed
No evidence of backup testing
Previous data breach not disclosed to insurer
Non-compliance with Privacy Act (no NDB procedures)
Low Essential Eight maturity (Level 0 or 1)
Flat network with no segmentation
No incident response plan
Multiple claims in past 3 years
Operating critical infrastructure without SOCI compliance
APRA-regulated entity without CPS 234 compliance

Cyber insurance requirements checklist for Australia

Below is your complete checklist for Australian underwriting.

Control	Description	Priority
Multi-factor authentication (MFA)	MFA on all remote access, email, cloud services, admin accounts	Essential
Endpoint detection and response (EDR)	Advanced endpoint protection with continuous monitoring	Essential
Email security	DMARC/DKIM/SPF, anti-phishing, spam filtering	Essential
Backup and recovery (3-2-1)	Daily tested backups with offline/immutable copy	Essential
Patch management	Critical patches within 30 days, documented process	Essential
Security awareness training	Quarterly+, documented, with phishing simulations	Essential
ACSC Essential Eight implementation	Essential Eight controls at Level 1 minimum; Level 2+ for discounts	Important
Privacy Act compliance documentation	Australian Privacy Principles, Privacy Policy, breach handling procedures	Important
Notifiable Data Breach (NDB) scheme readiness	Documented procedures for breach notification	Important
Privileged access management (PAM)	Separate admin accounts, JIT access, logging	Important
Network segmentation	Isolate critical systems, restrict lateral movement	Important
Incident response plan	Documented, tested annually via tabletop	Important
Vulnerability scanning	Internal and external scans (quarterly+)	Important
Encryption	Data at rest and in transit	Important
Logging and monitoring	SIEM or log aggregation, 90+ day retention	Important
APRA CPS 234 compliance (if regulated)	Information security, business continuity, incident reporting	Important
SOCI Act compliance (if critical infrastructure)	Security assessments, risk mitigation, incident reporting	Important
24/7 SOC or MDR	Continuous threat hunting and response	Advanced
Zero trust architecture	"Never trust, always verify" approach	Advanced
Penetration testing	Annual or biannual third-party assessments	Advanced

Next steps

Ready to apply for cyber insurance in Australia? Get matched with a specialist Australian broker who understands Essential Eight, APRA CPS 234, NDB scheme, Privacy Act, SOCI, and Australian carrier expectations.

Ready to get covered in Australia?

Tell us about your business and we'll match you with a specialist Australian cyber insurance broker.

Get a Quote →

Last updated: April 2026

Australian Cyber Insurance Requirements: What You Need to Qualify