Do I need backups to get cyber insurance?

Most modern cyber insurance policies expect regular, tested and isolated backups as a baseline control. Lacking them can make cover harder to obtain, more expensive, or more limited.

Can a claim be denied because of weak backups?

It can. If you attest to having controls such as tested backups or MFA and an incident reveals you did not, an insurer may reduce or decline the claim. Accurate answers on the application are essential.

How do good backups affect my premium?

Strong backup practices reduce the insurer’s expected loss because you are less likely to need a ransom payment and cheaper to restore. This can improve your insurability and may help lower premiums.

Cyber insurance in Australia: the backups your policy expects

Cyber insurance has matured. After years of large ransomware payouts, insurers no longer hand out cover without scrutiny. Today the application form is effectively a security audit, and your backups are one of the first things they probe. Here is what a modern policy expects.

Key takeaways

Insurers increasingly require specific controls before they will offer cover.
MFA and reliable, tested backups are among the most commonly required.
Weak or missing controls can raise premiums, limit cover, or void a claim.
Good backups both lower your risk and strengthen your insurability.

Why insurers got strict

The economics of cyber insurance changed when ransomware claims surged. To stay viable, insurers tightened underwriting: instead of simply pricing risk, they now require applicants to demonstrate baseline controls before cover is offered at all. The application has become, in effect, a security questionnaire — and answering loosely can come back to bite you at claim time.

What policies commonly require

Requirements vary by insurer, but recurring themes include:

Multi-factor authentication on email, remote access and key systems.
Regular, tested backups that are kept isolated from production.
Timely patching of systems and software.
Endpoint protection and email filtering.
An incident response plan.

You will recognise these — they map closely to the Essential Eight.

The backup questions specifically

Expect to be asked not just "do you back up" but how. Insurers want to know about frequency, retention, whether backups are isolated and immutable, and crucially whether you test restoration. The reasoning is direct: a business that can restore from clean backups is far less likely to pay a ransom and far cheaper to make whole.

Why your answers matter twice

Your responses affect both whether you can get cover and at what price, and whether a claim is honoured. If you attest to controls you do not actually have and an incident exposes the gap, an insurer may reduce or decline the payout. Accuracy is not optional.

Turning controls into an advantage

The flip side is encouraging: the same controls that lower your real risk also improve your insurability and can reduce premiums. An independent, tested backup of your critical data — with retention and immutability — is one of the clearest, most affordable ways to tick the insurer’s box and protect the business at the same time.

Why insurers got strict

What policies commonly require

The backup questions specifically

Why your answers matter twice

Turning controls into an advantage

Frequently asked questions

Do I need backups to get cyber insurance?

Can a claim be denied because of weak backups?

How do good backups affect my premium?

Immutable backups and WORM storage, explained

The Essential Eight, explained for Australian small businesses

Ransomware and your accounting data: how attackers target the books