Cyber Insurance Readiness Review for Adelaide SMBs: Make Sure a BEC Claim Actually Pays Out

Your broker sent through the renewal questionnaire for your cyber policy, and somewhere on page four it asks whether you have multi-factor authentication enforced on all email accounts, whether you verify supplier bank-detail changes out-of-band, and whether you have staff phishing training in the last 12 months. You tick yes because you mostly do. Eight months later an attacker redirects a $90,000 supplier payment, you lodge a claim, and the insurer’s investigator starts asking for evidence of every control you attested to. Cyber Insurance Readiness Review from Cyber by Exegesis is the engagement that closes the gap between what your policy says you do and what you can prove you did.

The problem

Business email compromise is the highest-loss cyber category reported by Australian SMBs to ACCC Scamwatch year after year. It is also the category where cyber insurance claim disputes cluster, because BEC policies are loaded with control warranties — MFA on email, out-of-band verification of payment changes, DMARC enforcement, staff training cadence, endpoint protection — and a single unmet warranty can be enough for an insurer to deny or reduce a claim.

Most Adelaide SMBs answer the renewal questionnaire in good faith but without a paper trail. MFA might be enabled but not enforced on every mailbox. The payment-change process might exist in someone’s head but not in a written procedure. Phishing training might have happened in 2023 but with no attendance record. When the claim adjuster asks for evidence per control, the SMB cannot produce it — and the BEC loss they thought was insured turns out not to be.

The ACSC Small Business Cyber Security Guide describes the controls insurers care about; the OAIC Notifiable Data Breaches scheme adds a parallel obligation if customer PII was exposed in the same incident. Both need to be answered with documents, not assertions.

What the Cyber Insurance Readiness Review does

Cyber by Exegesis runs a fixed-scope pre-renewal (or pre-claim) review built around your actual policy wording:

• A line-by-line walkthrough of the control warranties in your cyber policy schedule — what the insurer requires, in plain English.
• An evidence pack assembled per control: MFA enforcement screenshots from your Microsoft 365 or Google Workspace admin console, DMARC/SPF/DKIM lookups, mailbox-rule audit output, written payment-authorisation procedure, staff training attendance records.
• A gap register flagging any control you have attested to but cannot evidence — and the smallest change needed to close each gap before renewal or before a claim is tested.
• A BEC-specific deep-dive on the controls most commonly cited in claim denials: out-of-band verification of supplier bank changes, mailbox auto-forwarding rules, and impersonation-protection settings.
• A short written report formatted to share with your broker and, if needed, your insurer’s claims investigator.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is preventive and documentary. We are not your broker and we do not place insurance; we make sure that when your broker or insurer asks, you have the evidence ready.

How it works

1. We confirm scope on a short call and ask for a copy of your current (or proposed) cyber policy schedule and any renewal questionnaire in flight.
2. We map each control warranty to an evidence requirement and request read-only access to your email tenant and DNS provider.
3. We pull the technical evidence — MFA state, DMARC/SPF/DKIM records, mailbox rules, conditional access — into a per-control evidence pack.
4. We sit with your accounts and operations leads for 45 minutes to document the non-technical controls: payment-change verification, supplier onboarding, training cadence.
5. We deliver the evidence pack, the gap register, and the written report, with a 90-day review window in case your policy or controls change.

Why this matters in Adelaide

Adelaide’s SMB base skews toward defence-supply-chain participants, professional services, and family-owned trade and manufacturing businesses — all sectors where a single redirected supplier invoice can be six figures, and all sectors where cyber insurance is increasingly a contractual requirement from larger customers. ACCC Scamwatch reporting consistently shows BEC as the dominant loss category for businesses of this profile. An Adelaide SMB that walks into renewal with a documented evidence pack pays a more defensible premium and, more importantly, has a claim that will actually pay when BEC hits.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Cyber Insurance Readiness Review (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Cyber Insurance Readiness Reviews for Adelaide SMBs

We are sequencing engagements by renewal date and by email tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your renewal month and current insurer — we will tell you when we are ready to take a brief from your business.