Cyber Insurance Readiness Review for Australian SMBs: Make Sure Your Ransomware Claim Actually Pays

Your renewal pack arrived from the broker and the questionnaire is twelve pages long. It asks whether you have multi-factor authentication on all remote access, whether you have offline backups, whether you patch internet-facing services within 48 hours, and whether you log and monitor administrative actions. You ticked yes to most of them last year because the alternative was a premium hike. Then a ransomware crew encrypts your file server on a Thursday afternoon, you call the insurer, and the first thing they do is send a forensic firm to check whether what you ticked is actually true. Cyber Insurance Readiness Review from Cyber by Exegesis is the engagement that closes the gap between what your policy assumes and what your network actually looks like — before you need to claim.

The problem

Ransomware is the highest-impact cyber loss category for Australian SMBs. The ACSC Small Business Cyber Security Guide is blunt about the control set that prevents it: multi-factor authentication, patched systems, restricted administrative privileges, and tested backups held offline. Cyber insurers have read the same guidance. Their renewal questionnaires and policy warranties now mirror those controls almost line-for-line, and increasingly mirror the Essential Eight Maturity Model — usually pitched at ML1 with selected ML2 controls.

The problem is not that SMBs lie on the questionnaire. It is that the person filling it in is the owner or the office manager, not the person who knows whether the backup that ran last night was actually offline, whether the domain admin account has MFA, or whether the RDP port someone opened in 2022 is still open. When a claim is denied, the denial reasons are rarely exotic — they are the same three or four control gaps every time. And if the ransomware incident also exposes customer personal information, the OAIC Notifiable Data Breaches scheme obligations land on you regardless of whether the insurer pays.

What the Cyber Insurance Readiness Review does

Cyber by Exegesis runs a fixed-scope pre-renewal or pre-claim review against your actual policy:

• A line-by-line walk of your current cyber policy’s control warranties and questionnaire answers, mapped to evidence we can verify on your systems.
• An Essential Eight ML1 baseline check across the eight mitigation strategies, with explicit notes on any ML2 controls your policy references.
• A backup verification — we confirm that at least one backup copy is offline or logically isolated, and that a restore has been tested within a defensible window.
• An MFA coverage audit on email, remote access, and privileged accounts — the three areas insurers test first after a ransomware claim.
• A patching and internet-exposure check on perimeter services (VPN, RDP, firewall management, public web apps).
• A written readiness report listing every policy warranty, the evidence we collected, and a prioritised gap list with remediation owners and dates.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same group behind DRMO. Our scope here is evidence and gap identification. We are not your broker and we are not your incident responder; we make sure that if a ransomware incident hits, your claim is not the one that gets denied for a paperwork reason.

How it works

1. We collect your current cyber policy, last year’s questionnaire, and any broker correspondence on warranties or sub-limits.
2. We confirm scope on a short call, then request read-only access to your identity provider (Microsoft 365 or Google Workspace), your backup console, and a list of internet-facing services.
3. We run the Essential Eight ML1 baseline checks and capture screenshots and configuration exports as evidence for each control.
4. We sit with whoever manages your IT — internal or MSP — for 45 minutes to verify backup isolation and restore-test history.
5. We deliver the written readiness report within ten business days, with a gap list scoped so each item is closable before your renewal date.

Why this matters in Australia

Australian SMBs sit in a particular squeeze. Cyber insurance premiums and warranties have tightened every year since 2021. The ACSC has made the Essential Eight Maturity Model the de facto national baseline, and insurers price against it. The OAIC Notifiable Data Breaches scheme means that a ransomware incident touching customer personal information is a regulatory event as well as an operational one. An Australian SMB that walks into renewal with documented evidence against every policy warranty pays a defensible premium and — far more importantly — preserves the right to claim if the worst Thursday afternoon arrives.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Cyber Insurance Readiness Review (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Cyber Insurance Readiness Reviews for Australian SMBs

We are sequencing engagements by renewal date and by identity-tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your renewal month and current cyber insurer — we will tell you when we are ready to take a brief from your business.