The Essential 8 Gamble — Why WA Health Needs to Be Ahead of the Insurance Curve

Every cyber-insurance renewal is quietly turning into an exam. Insurers have stopped asking what industry you're in or how much revenue you make. They ask whether MFA is on every account. Whether you patch within 14 days. Whether you back up offline. Whether you actually restrict admin privileges, or just say you do.

They're asking the eight things the Australian Signals Directorate has been calling the Essential 8 for years. And if you're in the WA health sector, the controls are no longer optional — they're the price of being insurable.

The 40% problem

Coalition's 2024 Cyber Claims Report puts the average claim-denial rate at around 40%. The single largest reason claims get denied isn't fraud or arson or sabotage. It's misrepresented MFA. Businesses signed an application saying they had multi-factor authentication everywhere. Then a breach happened, the insurer's forensic team checked, and MFA was missing on the one account that mattered.

The cheque didn't come. The business absorbed the full breach cost.

Marsh Australia's 2024 market trends report puts it plainly: "Insurers are shifting their focus away from revenue and industry type, and more towards the internal controls of a business." Sector and revenue used to be the underwriting lens. Now it's controls. Specifically, the eight strategies the Essential 8 prescribes.

The regulators agree

If insurance pressure isn't enough, regulators are catching up.

The Aged Care Act 2024 came into effect on 1 November 2025. The Aged Care Quality and Safety Commission's Technology and Cyber Security Topic Guide explicitly references Essential 8 Maturity Level 1 as the compliance floor for residential aged care providers. Governing bodies must actively oversee technology and cyber risk. Providers must demonstrate E8 controls at quality audits.

The WA Government Cyber Security Policy 2024 mandates Essential 8 ML1 across all WA Government entities. That includes WA Health. And it flows through to anyone contracted to deliver health services to WA Government — so if a clinic is on a state-funded program, the controls are already in scope by extension.

The Privacy and Other Legislation Amendment Act 2024 strengthened OAIC enforcement powers and introduced infringement notices up to $66,000 per contravention. A statutory cause of action for serious privacy invasion is on the way. Health businesses are squarely in scope regardless of turnover, because the Privacy Act covers any organisation holding health information.

Health is already the #1 target

The data caught up to clinic leadership a long time ago.

The OAIC Notifiable Data Breaches Report for the first half of 2025 puts health at 18% of all data-breach notifications — the largest single sector, and the largest sector in every six-month reporting period since the scheme launched in 2018. The most-breached industry in Australia. Year after year.

The ASD Annual Cyber Threat Report 2024–25 is bleaker still. Ransomware incidents against the health sector doubled year-on-year. And when attackers targeted health, they succeeded 95% of the time — versus 52% across all sectors.

Health has the most valuable data and the lightest defences. The only question is whether your clinic gets to Essential 8 before the next attack, or after.

What "ahead of the curve" actually buys you

Three concrete things change when you're already at ML1 before the deadline:

1. Insurance renewal becomes simple. You answer the controls questionnaire honestly and get a real quote. Premiums in 2024 dropped 0–10% for businesses with documented controls; in 2026, S&P Global is forecasting 15–20% increases as the market hardens. Being able to say yes to the MFA question is worth real money on every renewal for the next five years.
2. Audits stop being events. When a funder, accreditor, or regulator asks for evidence, you hand over a Board-ready ICT Risk Report and a citeable list of E8 controls. No scrambling, no last-minute remediation, no consultant rate cards.
3. You stop carrying the worry. Heads of Corporate Services already hold most of the unpaid risk in health-clinic operations. Knowing the controls are running — and that someone else is on the hook to keep them running — is the part that doesn't show up on a P&L but makes the job sustainable.

The gamble

The phrase "we'll deal with it when we have to" used to be a defensible strategy. Cyber felt slow-moving. Insurance was generous. Regulators were polite.

Not any more. Insurers have stopped writing cheques to businesses that misrepresented their controls. The Aged Care Act has teeth. The WA Cyber Security Policy is operational. The OAIC has issued more notifications in the last 12 months than ever before.

So the question is the same one any gambler has to answer: how much are you willing to lose if it goes sideways once?

Essential 8 isn't a wall against every attack. Nothing is. But it's the lowest-cost, highest-credibility set of controls Australian regulators and insurers all agree on. Getting there now — on your terms, on your timetable, with a partner — is materially cheaper than getting there under pressure.

If your clinic is heading into a funder review, an accreditation cycle, or just a CEO question you can't currently answer, book a 30-minute Essential 8 Readiness Call. We'll map your blindspots live on the call and tell you exactly where you sit against ML1 — even if you don't sign with us.

Book a meeting with Sam directly.

Sources cited: Marsh Australia, Cyber Insurance Market Trends 2024. Coalition Inc., 2024 Cyber Claims Report (US/global, illustrative). Aged Care Act 2024 + ACQSC Technology and Cyber Security Topic Guide. WA Government Cyber Security Policy 2024. OAIC Notifiable Data Breaches Report, January–June 2025. ASD/ACSC Annual Cyber Threat Report 2024–25. Privacy and Other Legislation Amendment Act 2024 (Cth).