Cyber Insurance Readiness Check

Insurers now ask hard questions before they'll cover you — and price on the answers. Run this free 16-question check to see how ready you are, and get a prioritised list of gaps mapped to the ACSC Essential Eight. Everything runs in your browser; nothing is sent until you choose to.


For each control, choose the answer that best matches your business today.Yes = fully in place, Partial = some coverage, No = not in place.

  1. Is MFA enforced on email and cloud accounts (Microsoft 365, Google Workspace)?

    Essential Eight — Multi-factor authenticationMFA is the first thing an insurer checks. "Partial" means some users or apps are covered but not all.

  2. Is MFA enforced on all remote access — VPN, RDP and remote-desktop tools?

    Essential Eight — Multi-factor authenticationUnprotected remote access is a top ransomware entry point. "Partial" means some paths are covered but not all.

  3. Is MFA enforced on every administrator and privileged account?

    Essential Eight — Multi-factor authenticationAdmin accounts are the highest-value target. "Partial" means some admins are covered but not all.

  4. Do you keep regular backups that are offline or immutable (out of reach of ransomware)?

    Essential Eight — Regular backupsRansomware-proof backups are what let you refuse to pay. Backups reachable from the network can be encrypted too.

  5. Have you tested a full restore from those backups in the last 12 months?

    Essential Eight — Regular backupsAn untested backup is a guess. Insurers ask specifically whether you have proven a restore works.

  6. Is modern endpoint protection or EDR deployed and monitored on all laptops, desktops and servers?

    Insurers increasingly expect managed EDR, not just consumer antivirus.

  7. Do you have email filtering / anti-phishing protection on inbound mail?

    Most claims start with a phishing email — layered filtering materially lowers risk.

  8. Have you published SPF, DKIM and DMARC records to stop your domain being spoofed?

    Anti-spoofing records stop attackers sending mail that looks like it came from you.

  9. Are operating systems and applications patched promptly (critical updates within roughly two weeks)?

    Essential Eight — Patch operating systems & applicationsInsurers ask how quickly you patch internet-facing and high-risk software.

  10. Do staff complete regular security-awareness training and simulated phishing?

    A trained team is your cheapest and most effective control against social engineering.

  11. Do you have a documented incident response plan, and has it been reviewed or rehearsed?

    Insurers want to see you can respond in the first 24 hours, not improvise.

  12. Are administrator privileges limited to those who need them, with separate admin accounts and regular reviews?

    Essential Eight — Restrict administrative privilegesOver-provisioned admin rights are a top cause of severe incidents.

  13. Do you control which applications can run (allow-listing) on servers and workstations?

    Essential Eight — Application controlApplication control stops unapproved and malicious software from executing.

  14. Is sensitive data encrypted at rest (e.g. disk encryption) and in transit?

    Encryption limits the damage and notification obligations if a device or database is lost.

  15. Are security logs collected and monitored so you would detect a compromise?

    Essential Eight — related to monitoringWithout logs you cannot prove what happened — insurers and regulators will ask.

  16. Have you been free of any cyber incidents, breaches or insurance claims in the last three years?

    Answer "No" if you have had an incident, "Partial" for a near-miss you contained.

0 of 16 answered


Use — Guide

How to use this tool

  1. Read each question carefully and choose Yes, Partial or No based on your business today — the instructions at the top explain what each option means.
  2. Work through all 16 questions; the "See my results" button unlocks once every question is answered.
  3. Press "See my results" to receive your readiness score out of 100 and a band — Insurable-ready, Some gaps to close, or High risk.
  4. Review the priority gaps list below the score — each gap names the control, explains why insurers care and tells you exactly what to do.
  5. Use the optional contact form to send your result to Peritus Digital for a fixed-scope uplift plan.

FAQ — Questions

Frequently asked questions

01Is my assessment data stored or sent anywhere?

No. The Cyber Insurance Readiness Check runs entirely in your browser — your answers are never transmitted to Peritus Digital or any third party. Only if you choose to submit the optional contact form at the end does any information leave your device.

02What is the Essential Eight and why do insurers care about it?

The Essential Eight is the Australian Cyber Security Centre's baseline mitigation framework covering patch management, multi-factor authentication, backups and five other controls. Australian cyber insurers increasingly use it as a benchmark — businesses at Maturity Level 1 or above typically qualify for broader coverage and lower premiums.

03How accurate is this readiness score?

The score gives you a directionally accurate picture of where gaps exist relative to what insurers look for. It's based on the controls underwriters most commonly assess. For a formal gap analysis with documented evidence of compliance, engage a qualified security professional — we can help with that.

04What happens if my score is low?

A low score is common and fixable. Peritus Digital can prioritise the highest-impact controls (typically MFA and tested backups) for rapid implementation, then work through the remaining gaps over a planned roadmap. Many clients reach an insurable posture within 60–90 days.