If you have renewed a cyber insurance policy recently, you already know the conversation has changed. Premiums are up. Questionnaires are longer. And insurers are no longer satisfied with a vague “yes, we have antivirus.”
Australian underwriters are now asking pointed questions about specific security controls. If you cannot answer them clearly, you will either pay more for your policy or struggle to get cover at all.
This is not about fear. It is about preparation. The questions insurers ask map directly to practical controls you should have in place anyway. Here is what they are asking, what answers they want, and how to get there.
Why Cyber Insurance Questionnaires Have Changed
Two years ago, most cyber insurance applications were a page long. Tick a few boxes, sign it, done.
That changed because insurers were paying out too many claims. Ransomware attacks on Australian businesses cost insurers heavily, and the response was predictable: tighter underwriting.
Today, Australian cyber insurers want evidence that you have real controls in place. Not just that you bought a product, but that it is configured, monitored, and tested. The Australian Cyber Security Centre (ACSC) Essential Eight, a set of eight security strategies recommended by the Australian Government, has become the unofficial benchmark many insurers reference.
The Six Questions Insurers Are Asking
While every insurer’s questionnaire is slightly different, these six areas come up consistently across Australian cyber insurance applications in 2026.
1. Do you enforce multi-factor authentication?
Multi-factor authentication (MFA) means requiring a second verification step, such as a code on your phone, when someone logs in. Insurers want to know that MFA is enforced on all user accounts, especially for email, remote access, and admin accounts.
The answer they want: MFA is enforced across all accounts with no exceptions. Admin accounts have phishing-resistant MFA.
Essential Eight alignment: This maps directly to the “Restrict Administrative Privileges” and general access control strategies in the Essential Eight.
2. Do you test your backups?
Having backups is not enough. Insurers want to know that you test them, that you have actually restored data from a backup and confirmed it works.
The answer they want: We follow a 3-2-1 backup strategy (three copies of data, on two different media types, with one stored offsite or offline). Backups are tested regularly and restoration has been verified.
Essential Eight alignment: This maps to the “Daily Backups” strategy. The 3-2-1 approach with tested restores is what insurers consider the minimum standard.
3. How quickly do you patch?
Patching means applying security updates to your software and operating systems. Insurers want to know your patching cadence, how often you apply updates and how quickly you respond to critical vulnerabilities.
The answer they want: Critical patches are applied within 48 hours. All other patches are applied within two weeks. We have a managed patching schedule, not an ad-hoc process.
Essential Eight alignment: This maps to “Patch Applications” and “Patch Operating Systems,” two of the eight controls.
4. Do you have endpoint detection and response?
Endpoint detection and response (EDR) is software that monitors every device on your network for suspicious behaviour and can isolate a threat before it spreads. It is a step beyond traditional antivirus.
The answer they want: EDR is deployed on all endpoints (laptops, desktops, servers) and is monitored by a security team, not just installed and left.
Essential Eight alignment: While EDR is not one of the eight controls specifically, it supports multiple strategies including application control and restricting admin privileges. Most insurers now treat it as a baseline requirement.
5. Do you have an incident response plan?
An incident response plan is a documented process for what happens when something goes wrong, who does what, who gets called, how you contain the damage.
The answer they want: We have a written incident response plan. Key staff know their roles. The plan has been reviewed in the last 12 months.
Essential Eight alignment: This sits alongside the Essential Eight as an operational control. Insurers want to see that you have thought through the “what if” before it happens.
6. How do you manage admin access?
Admin accounts have the highest level of access to your systems. If a cybercriminal compromises an admin account, they can do far more damage than with a standard user account.
The answer they want: Admin accounts are separate from daily-use accounts. Admin access is limited to the people who genuinely need it. Admin accounts have MFA enforced and are regularly reviewed.
Essential Eight alignment: This maps directly to “Restrict Administrative Privileges,” one of the most important controls in the Essential Eight.
How to Prepare for Your Next Renewal
The practical approach is to treat your insurance questionnaire as a checklist. If you can answer every question confidently and truthfully, you are in a strong position, both for your premium and for your actual security.
If you cannot answer some of these questions today, that is not a crisis. It is a gap you can close.
Start with an IT Audit. It gives you a clear picture of where you stand on each of these controls, what needs to change, and what it takes to get there. No guesswork, no assumptions, just a factual assessment of your current setup against the controls insurers are asking about.
From there, a managed IT provider can implement and maintain the controls so you are not scrambling before each renewal. CIO Tech’s Security Stack covers MFA enforcement, EDR, patching, backup testing, and admin access controls as standard. Our compliance assessments map your environment against the Essential Eight so you know exactly where you sit.
The Bottom Line
Cyber insurance is not optional for most Australian businesses anymore. But getting cover, and keeping premiums reasonable, now depends on having real controls in place.
The good news is that the controls insurers want are the same controls that actually reduce your risk. This is not compliance theatre. It is practical security that protects your business whether you ever make a claim or not.
