Why this matters more than it used to

In 2020 the question on an Australian cyber-insurance renewal was whether the insured had a firewall and antivirus. In 2026 the question is whether the insured can evidence, in writing, around two dozen specific controls at the level the underwriter considers substantiated.

That change is not incremental. It is the insurer category maturing from self-certified policies with light questioning into controls-based underwriting — the same direction professional indemnity went in the 1990s. Premiums rose, loadings appeared, and organisations that assumed their renewal would be a formality found it was not.

Three things have changed in the last eighteen months that every managing partner, CFO, practice manager, and board director should know:

  1. The questionnaire is now specific. “Do you have MFA” has become “produce an export showing MFA coverage by user type, dated within the last ninety days, covering privileged and non-privileged accounts, annotated for exceptions.”

  2. “We have it” is no longer an acceptable answer to many questions. The insurer wants evidence on file — often a log, an export, or a dated screenshot. A verbal assurance from the MSP does not transfer risk.

  3. Loadings and declines are increasing even for well-run organisations that lack the evidence infrastructure, not the controls themselves.

The control set — five families

Every major Australian insurer in the SME market works from a roughly-similar control set, framed around the ACSC Essential Eight, NIST CSF 2.0, and their own incident-claims data. The specific wording differs; the substance overlaps. Most firms operate somewhere across five control families.

Identity and access (six controls)

The single family insurers tighten on hardest, because compromised identity is the most common first step in claims data.

  • Multi-factor authentication on all user accounts
  • Multi-factor authentication on all privileged accounts, with a phishing-resistant factor
  • Separate privileged accounts from daily-use accounts
  • Conditional access policies limiting risk-based access
  • Regular review of privileged role membership
  • Offboarding evidence — departed staff removed within a documented window

What insurers want as evidence: an export of account coverage, a screenshot of current conditional-access policy, a role-membership log, an offboarding checklist.

Endpoint protection (five controls)

  • Endpoint detection and response (EDR) deployed to every endpoint
  • EDR console monitored, with alerting reaching a human within a documented response time
  • Patch compliance for operating systems — target window
  • Patch compliance for applications — target window
  • Application allowlisting

Evidence: EDR console coverage export; patch-compliance report; allowlist policy.

Email and collaboration (three controls)

  • Anti-phishing controls on email
  • Safe Links / Safe Attachments or equivalent
  • External-sharing governance on collaboration platforms (M365, Google Workspace)

Evidence: tenant security policy export; external-sharing report.

Backups and recovery (four controls)

The family most likely to break a renewal that otherwise looks solid.

  • Backups covering all in-scope systems
  • Immutability — at least one copy protected from modification by an admin-credentialed threat actor
  • Retention aligned to the insurer’s expectation
  • Documented successful restore-test within a specified window (typically 90 days)

Evidence: backup job coverage report; immutability attestation from the backup vendor; a dated successful restore log.

Governance, incident response, and awareness (seven controls)

  • Documented incident-response plan, owner-assigned
  • Annual incident-response exercise (who attended, what was rehearsed)
  • Third-party risk assessment for critical vendors (MSP, cloud providers)
  • Staff security awareness training, documented cadence
  • Phishing simulation programme with metrics
  • Privacy Act 1988 (Cth) compliance; including Notifiable Data Breaches Scheme readiness
  • Cyber insurance policy in force, with its own renewal record

Evidence: IR plan document; exercise minutes; training completion register; Privacy Act Response Plan.

The controls insurers are tightening on hardest in 2026

Five controls consistently draw the most scrutiny, and are the ones worth pressure-testing first:

  1. MFA evidence, not MFA posture. The insured has to produce a machine-generated export, not an IT manager’s assurance.
  2. Restore-test logs. A scheduled test alone is no longer enough; underwriters increasingly look for a dated, documented, successful restore, commonly within the last ninety days.
  3. Privileged account separation. “The office manager also has admin rights” is a common exposure that is now being specifically asked about.
  4. External-sharing governance. Rising claim frequency attributable to over-shared document collaboration has made this a focused question.
  5. Incident-response documented exercise. A plan on a shelf is no longer acceptable; the insurer asks when it was last exercised and who was in the room.

The practical test: could your organisation answer these quickly

If the underwriter called today and asked for evidence of these controls, how long would the insured take to assemble it?

  • Under five business days. Excellent. This organisation has evidence infrastructure.
  • Five to ten business days. Acceptable. Some evidence is produced on request, rather than standing, but it exists.
  • Over ten business days. A red flag. Either the evidence does not exist, or it is held entirely by the MSP and the insured cannot retrieve it without a service request.
  • Cannot answer. The renewal is exposed.

The test above shows which category your organisation is in; the time to find out is before the renewal questionnaire arrives, not after.

What to do, eight to twelve weeks before renewal

This is the window where remediation is possible without a loading.

  1. Request the control questionnaire from your broker. Ask for the version the underwriter is currently using, not last year’s.
  2. Self-assess against each control. Mark each as green, amber, or red for evidence readiness — not just control presence.
  3. For every amber and red item, identify the owner. It will be one of: your internal IT lead, your MSP, or a third-party system vendor. Name the person.
  4. For MSP-owned items, issue a written request. Ask for the evidence, not for a confirmation that the control exists.
  5. For items without evidence, produce it now, not at renewal. An MFA export, a conditional-access policy screenshot, a restore-test log.
  6. Where the control is deficient, not just the evidence, log it as a remediation item with a named date. Remediation is often a fortnight’s work once the scope is clear.
  7. Ask your broker what the underwriter is most focused on this quarter. Your broker sees many renewals before yours; the pattern is visible from their seat.

The role of an independent reviewer

A broker’s job is to place the risk; a broker does not audit the controls. An MSP’s job is to operate the systems; the MSP is not the party to certify the quality of its own work. Internally, most SMEs do not have a dedicated person whose role is to produce and defend cyber-controls evidence.

The gap an independent reviewer fills is narrow but useful: produce the evidence, map it to the insurer’s current control set, identify the gaps, and give the insured something it can confidently put in front of its broker and underwriter.

At Adeo, that is the Cyber Insurance Readiness Quick-Scan — a focused engagement, scoped in the written proposal, that produces a remediation roadmap the insured can execute against. A Baseline Audit goes wider; a Quick-Scan is the more targeted entry point at the moment of pre-renewal stress.

A board-level framing

For managing partners and board directors asking the question differently — whether to care about any of this — the direct answer is that the cost of a cyber-insurance loading is no longer trivial. For a mid-sized Australian professional-services firm, a loading is often several thousand dollars a year. A decline is materially worse — the firm may find itself uninsured at a point where it has fiduciary and statutory obligations that cannot be discharged without cover.

The questions above are not technical. They are governance questions, in a format where “the IT person is on top of it” is no longer an acceptable answer at the board table.

What this article does not cover

  • The specific questionnaires of individual insurers — those change frequently and the practical detail is for an engagement, not a public article.
  • Incident response in flight (that is a different specialty; contact a specialist IR firm).
  • Specific vendor product recommendations — Adeo does not name or recommend vendors in external content.

Further reading

  • ACSC, Essential Eight Maturity Modelcyber.gov.au
  • NIST, Cybersecurity Framework 2.0nist.gov

Adeo is an independent, vendor-neutral IT advisory for Australian SMEs. We audit, score, and oversee what a managed service provider delivers. We do not resell, and we take no commissions. Contact: contact@adeo.au · adeo.au.