How to minimise your cyber insurance premiums, by optimising your cyber security approach

Tecala’s 10-Point checklist to prepare for your Cyber Insurance assessment.

In our recent Cyber Security Round Table session in Sydney, the conversation between attendees revolved around the importance of cyber security insurance and the approaches organisations can use to minimise premiums, or even remove the need for insurance completely. 

It was such an important discussion, that our Cyber Security team at Tecala has developed a 10-point checklist to ensure you get the best cyber security cover at the lowest possible price.

So, let’s start with the first point: can we remove the need for Cyber insurance completely? The answer is a firm ‘no’.

The volume and sophistication of cyberattacks are on the rise, and along with these the potential financial and reputational damages they cause. Therefore, the need for financial support to mitigate losses, recover costs, and safeguard operations – through cyber insurance – is important.

But rather than looking at cyber insurance as a ‘fixed cost’, it should be seen as an investment in risk management, which will decrease as effectiveness of your cyber security increases.

In its 2021-22 Annual Cyber Threat Report1 the Australian Cyber Security Centre put the cost of a cybercrime for medium businesses at $88,000. This is a rise of 14% on the previous year, but this doesn’t mean your insurance premiums have to increase too.

Every additional investment you make in your cyber security approach reduces your exposure to risk, and the cost of an attack to your organisation in both financial and reputational terms. And this will be reflected in your annual cyber insurance premium.

As long as you continually monitor, update, and optimise your cyber security approach in relation to your risk factors, your premiums should continue to decrease.

So, how do you ensure you’re investing in the right cyber security approach to reduce your premiums? To answer this question, we’ve developed our 10-point plan for minimising cyber risk and insurance premiums.

Australian Cyber Security Centre – 2021-22 Annual Cyber Threat Report

Tecala’s 10-point plan for minimising cyber risk and insurance premiums.

When you apply to an insurer for cyber insurance, they’re going to have a checklist of factors they’ll review to assess the effectiveness of your cyber approach. The more things you tick off on an assessment, the lower your premiums should be.

Cyber Security Training
Pen Testing and Vulnerability Scanning
Endpoint Protection
Email Hygiene
Multi-Factor Authentication
Monitoring and Alerts
Intrusion Prevention Systems
Data Management

Cyber Security Training

The Office of the Australian Information Commissioner (OAIC) report for January to June 2022 revealed that over 63% of reported cyber-attacks were carried out by malicious or criminal actors, and the common denominator among these types of attacks is their strong focus on exploiting people.

Through the ongoing delivery of structured and industry-specific programs you’ll ensure your people are aware of the evolving threat landscape, the techniques and tactics being used, and the procedures they need to follow to ensure they’re not exposing your operations to unnecessary vulnerabilities.

Globally, organisations are committing tens of billions of dollars (2) more to cybersecurity, with cyber security awareness and technical skills training accounting for a large proportion of those billions.

Pen Testing and Vulnerability Scanning

Knowing and understanding the risks you’re facing in today’s connected world is key to being able to deploy a strategic security roadmap to ensure the mitigation of these risks. It’s therefore essential to have a clear understanding of the weaknesses and potential points of exploit in your network and your broader technology environment. And this will be a major point of scrutiny with any cyber insurance provider.

With regular Vulnerability Scanning and Penetration Testing thoroughly assessing your threat landscape and accurately assessing your exposure to attack, you get exactly the right insurance cover at the best possible price.

Tecala delivers ongoing, tailored Cyber Security Services as part of its Cyber Security portfolio. Click here for more information.

Endpoint Protection

Endpoint protection and user security is designed to cover your entire ecosystem of devices, operating systems, and software applications. Because this ecosystem is constantly changing with new devices, OS upgrades, application patches and security updates happening daily, insurers are looking to see if your cyber security goes beyond single point solutions.

Essentially, you need to show you’re defending your organisation at every point of entry and through every point of interaction.

Email Hygiene

Email continues to be an everyday and operationally critical part of our communications, making cyber-attacks that exploit email a problem that isn’t going away.

Ransomware, Phishing, and other types of compromised emails are growing exponentially, making it difficult for many organisations to keep up and stay secure.

Tying into point #1, you’ll need to show you have good employee training, awareness, and support in place. But in addition, having appropriate email and web filtration services in place ensures you remove suspicious content before it’s downloaded to your system, or before it reaches any inbox.

Multi-Factor Authentication

An insurer will definitely be looking to see if you’re using Multi-Factor Authentication (MFA) to protect your systems and sensitive data. Working to the principle that your users’ passwords may already be known, MFA ensures a second ‘factor’ of trust is established beyond usernames and passwords.

You will almost certainly have had one or more of your passwords stolen already, through no fault of your own. This may be a shock to discover, but a quick visit to Have I Been Pwned will show you where known public breaches have already occurred. There are likely many more which have never been found or surfaced.


Rapid response is everything in cyber security. If you can show your insurance provider that you’re combining SIEM and MDR into a coordinated service, this is evidence that you can get real-time insights and remediation to security events, as they arise.

Taking this approach shows you’re committed to focusing on, identifying, and dealing with threats before they become operations-disrupting events, thus reducing your risk exposure.


Patching is the unsung hero of cyber security. With billions of dollars and millions of hours being spent looking for ways to breach your vulnerabilities, the volume and sophistication of cyber attacks are increasing exponentially.

While other flashy tools and security products fit almost every conceivable risk, one of the best ways to protect yourself and prove to an insurer you have your house in order is to show you regularly and systematically patch your systems.

Monitoring and Alerts

An insurer will be interested in whether you have tools in place to monitor network and system activity, and how you’re using this to identify and deal with unusual behaviour. The use of monitoring and alerts is a simple and effective way to make sure that normal behaviour on systems can be ignored, and unusual behaviour is flagged for immediate action.

Monitoring is also one of the best ways to make sure your systems are in good health overall and should be an integral part of your ICT network solution.

Intrusion Prevention Systems

Firewalls are an effective way to stop malicious traffic, including viruses and hackers. By monitoring incoming and outgoing traffic and permitting or blocking data packets based on your security rules, you’ll establish and maintain a barrier between your internal network and incoming traffic.

Similarly, CASB is now an important part of any cloud or network security strategy because it supports the way people access applications and data in the modern workplace. By monitoring the way your team are accessing, using, and storing data you more fully understand where your risks are.

Data Management

With all the recent high-profile attacks on organisations, including LastPass, Medibank, Medicare and Optus, insurers are focusing on your data and how it’s classified in terms of its sensitivity, its audience, and the subsequent risks. Unclassified data is more easily breached, so data classification needs to be part of your ICT network security policy.

Attorney-General Mark Dreyfus has stated that, “Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset.”

Knowing, sorting, classifying, and locking away your sensitive data is one of the most cost-effective ways to reduce the risk of unauthorised people accessing it. This approach needs to encompass your data backup and recovery approaches, as recent attacks have compromised retained customer data.

An insurer will be looking to see if you’re encrypting your backup data to ensure its security and confidentiality in case of unauthorized access or theft. Also, whether you’re regularly monitoring and reviewing the backup process to ensure its effectiveness and troubleshoot any issues promptly. In the case of breach, it’s essential to have a disaster recovery plan in place that outlines the steps to be taken in case of a cyber incident, including data restoration from backups.

Whatever combination of the cyber security approaches discussed in this blog is right for your organisation, auditing, managing, and reporting on this through your IT Security Governance policy and procedure will ensure your insurer has access to the information they need to accurately assess your cyber approach and the risk you’re exposed to.

Remember: Tecala is here to guide you through this process.

This 10-point checklist is designed to get you to the point where you can demonstrate a ‘deadlock’ of high-quality protection to your insurer. With this outcome, you’ll be better placed to minimise your cyber security premiums.

If you’d like more information on this, or any other aspect of our Cyber Security Services, speak with the team at Tecala and we’ll happily guide and support you through the process of putting it all in place.  


Assess your vulnerability to attack. Protect your reputation.

Working to a risk assessment matrix, we’ll clearly identify where your business is most susceptible to breach or attack.

Our assessment follows 3 Steps:

  1. Where and how your business operations create your potential for risk.
  2. We’ll explain the two primary security frameworks and how to apply them to your organisation 
  3. Define next steps: Achieve peace of mind with a tailored Strategic Security Roadmap for your business 

Don’t be tomorrow’s headline. Book your session today.  



The top 5 challenges to securing your organisation from cyber attack

As the cyber security challenge escalates, we explain how our Managed Cyber Security Services deliver expertise on demand to stay ahead of the threat actors.



Tecala delivers on-demand penetration testing and deep visibility into your threat landscape

Utilising this automated and AI-empowered platform, we understand and continually validate your environment against critical compromises, known attacks and vulnerabilities.