Cyber Insurance Readiness Check

Insurers now ask hard questions before they'll cover you — and price on the answers. Run this free 12-question check to see how ready you are, and get a prioritised list of gaps mapped to the ACSC Essential Eight. Everything runs in your browser; nothing is sent until you choose to.


For each control, choose the answer that best matches your business today.Yes = fully in place, Partial = some coverage, No = not in place.

  1. Is MFA enforced on email, remote access (VPN/RDP) and all administrator accounts?

    Essential Eight — Multi-factor authenticationThis is the first thing an insurer checks. "Partial" means some systems are covered but not all.

  2. Do you take regular backups that are offline or immutable, and have you tested a restore in the last 12 months?

    Essential Eight — Regular backupsRansomware-proof backups are what let you refuse to pay. Untested backups do not count.

  3. Is modern endpoint protection or EDR deployed and monitored on all laptops, desktops and servers?

    Insurers increasingly expect managed EDR, not just consumer antivirus.

  4. Do you have email filtering / anti-phishing and anti-spoofing (SPF, DKIM, DMARC) in place?

    Most claims start with a phishing email — layered filtering materially lowers risk.

  5. Are operating systems and applications patched promptly (critical updates within roughly two weeks)?

    Essential Eight — Patch operating systems & applicationsInsurers ask how quickly you patch internet-facing and high-risk software.

  6. Do staff complete regular security-awareness training and simulated phishing?

    A trained team is your cheapest and most effective control against social engineering.

  7. Do you have a documented incident response plan, and has it been reviewed or rehearsed?

    Insurers want to see you can respond in the first 24 hours, not improvise.

  8. Are administrator privileges limited to those who need them, with separate admin accounts and regular reviews?

    Essential Eight — Restrict administrative privilegesOver-provisioned admin rights are a top cause of severe incidents.

  9. Do you control which applications can run (allow-listing) on servers and workstations?

    Essential Eight — Application controlApplication control stops unapproved and malicious software from executing.

  10. Is sensitive data encrypted at rest (e.g. disk encryption) and in transit?

    Encryption limits the damage and notification obligations if a device or database is lost.

  11. Are security logs collected and monitored so you would detect a compromise?

    Essential Eight — related to monitoringWithout logs you cannot prove what happened — insurers and regulators will ask.

  12. Have you been free of any cyber incidents, breaches or insurance claims in the last three years?

    Answer "No" if you have had an incident, "Partial" for a near-miss you contained.

0 of 12 answered