Frontrow Technology
← All insights & guides
Guide

Cyber Security

What Australian cyber insurers actually require in 2026 (and why claims get denied)

The controls Australian cyber insurers expect at renewal in 2026 (MFA everywhere, EDR, tested backups, patching, restricted admin rights), why claims get denied, and how the questionnaire maps to the Essential Eight and Microsoft 365.

Sam Williams · 11 July 2026 · 7 min read

Australian cyber insurers in 2026 expect multi-factor authentication on all email and remote access, endpoint detection and response on every device, tested backups an attacker cannot delete, a defined patching cadence, restricted admin rights, and regular staff training. Claims are most often denied because a questionnaire said yes to a control that was not actually enforced.

The renewal questionnaire has changed character. A few years ago it was a tick-and-flick form; today it is a technical audit in disguise, and several underwriters supplement it with external scanning of your domains before they quote. Answers that used to slide through now get tested, either at underwriting or, far more painfully, after a breach when the forensic report lands on the claims assessor's desk. This guide covers what insurers ask for, why claims fail, and how to answer honestly from a Microsoft 365 tenant.

What controls do cyber insurers require?

Wording varies between insurers, but Australian renewal questionnaires in 2026 converge on the same baseline. If any item below is missing, expect a declined application, a ransomware sub-limit, a higher excess, or a loaded premium. Treat this as the checklist:

  • MFA on all email accounts, including shared mailboxes and executives who asked for an exemption. Partial coverage is treated as no coverage.
  • MFA on all remote access: VPN, remote desktop, remote management tools, and cloud admin consoles.
  • MFA on all privileged and administrator accounts, with no legacy authentication paths that bypass it.
  • Endpoint detection and response (EDR) on every workstation and server, not traditional signature antivirus and not "most" devices.
  • Backups that are offline, immutable or otherwise separated from production credentials, with a documented restore test performed recently, because an untested backup does not count.
  • A defined patching cadence: critical and exploited vulnerabilities remediated within a short, stated window (commonly 48 hours to two weeks, depending on severity), and no unsupported operating systems in production.
  • Restricted administrative privileges: day-to-day work on standard accounts, admin rights granted to few people and reviewed regularly.
  • Security awareness training for staff on a recurring schedule, often with phishing simulation.
  • Email authentication (SPF, DKIM, DMARC) and filtering, plus an incident response plan, increasingly asked at higher cover levels.

Note what all of these have in common: they are verifiable. The questionnaire is no longer asking whether you believe you are secure. It is asking for facts a forensic investigator could check after a claim.

Why do cyber insurance claims get denied?

Cyber policies pay most of the time, but the denials follow a consistent pattern, and almost all of it is avoidable. The recurring causes, roughly in order of how often they bite:

  1. 1Misrepresented controls on the application. The business declared MFA, EDR or tested backups; the post-incident forensics showed otherwise. Because the answers formed part of the contract, insurers can reduce or refuse the claim, and in serious cases void the policy entirely. In one widely cited overseas court decision, an insurer rescinded a policy after the insured overstated its MFA coverage, and that reasoning is now standard claims practice.
  2. 2MFA declared but not actually enforced. This is the single most common gap: MFA was "rolled out" but legacy authentication was still open, a break-glass process was abused as a daily bypass, or a cohort of users was excluded. If the attacker walked in through an account without MFA, the declaration was false in the way that mattered.
  3. 3Controls that decayed after binding. The environment was compliant at application time, then a new server shipped without EDR, a backup job silently failed for months, or an exemption granted "temporarily" became permanent. Most policies require the declared controls to be maintained, not merely installed once.
  4. 4Late notification and off-script response. Policies impose notification windows and require insurer consent before engaging responders or paying costs. Businesses that spent a week investigating quietly, or paid a ransom without consent, have had otherwise valid claims cut down.
  5. 5Exclusions doing what exclusions do. Unsupported software in production, known-but-unpatched exploited vulnerabilities, and losses falling under war or infrastructure carve-outs. Less common than misrepresentation, but harder to argue with.

How does the Essential Eight map to insurer questionnaires?

Australian insurers rarely name the Essential Eight on the form, but the questionnaire is substantially the same list wearing a different hat. The ACSC's eight mitigation strategies cover patching applications and operating systems, MFA, restricting admin privileges, application control, restricting Microsoft Office macros, user application hardening, and regular backups. Line those up against the checklist above and the overlap is obvious: MFA, patch cadence, admin restriction and tested backups appear on both lists almost word for word.

That makes the Essential Eight maturity model a practical preparation tool. Maturity Level One roughly satisfies a basic SME questionnaire. Maturity Level Two, which requires controls to be enforced consistently and verified rather than merely present, is the better target because it matches how claims assessors think: not "is it deployed" but "was it working on every account and every endpoint on the day of the incident". Frontrow runs its own tenant at Essential Eight Maturity Level Two, and the honest lesson from doing so is that the gap between "we have MFA" and "MFA is enforced with no exceptions and we can prove it" is where most of the work lives.

The strategies the Essential Eight includes that insurers ask about less often, application control and macro restriction in particular, are still worth doing: they reduce the chance you ever test the policy.

What does this look like in Microsoft 365?

For the majority of Australian SMEs and mid-market businesses running Microsoft 365, every item on the questionnaire maps to a control that already exists in the licensing they hold or can add for a modest per-user amount. The mapping:

  • MFA on email and cloud access: Microsoft Entra ID Conditional Access policies requiring MFA for all users and all apps, with legacy authentication blocked so nothing sidesteps the policy. Report-only mode lets you confirm coverage before enforcing.
  • MFA on privileged accounts: Conditional Access targeting admin roles with phishing-resistant methods, plus Privileged Identity Management for just-in-time admin where licensing allows.
  • EDR on every endpoint: Microsoft Defender for Business (included in Microsoft 365 Business Premium) or Microsoft Defender for Endpoint, deployed through Intune so a machine cannot be enrolled without it.
  • Patching cadence: Intune update rings and Autopatch for Windows, with compliance policies that block non-compliant or outdated devices from accessing company data. The compliance report doubles as evidence for the questionnaire.
  • Restricted admin rights: standard user accounts enforced through Intune, separate cloud-only admin accounts, and role assignments reviewed through Entra access reviews.
  • Backups and staff training: Microsoft 365 retention alone is not a backup for questionnaire purposes; a separate immutable backup of Exchange, SharePoint and OneDrive is what insurers mean. Attack simulation training in Defender covers the phishing-simulation question.

What should you do before your next renewal?

Work backwards from the questionnaire. Get a copy early, answer it against evidence rather than memory, and fix the gaps before submitting rather than shading the answers. Export the Conditional Access policy report, the Defender device coverage list, the Intune compliance summary and the latest restore-test record, and file them with the application. If the environment drifts during the policy period, fix the drift or tell the broker. A business that can answer every question with a screenshot is in a strong position twice over: at underwriting, where honest strong answers earn better terms, and at claim time, where the evidence is already assembled. Frontrow prepares Microsoft 365 environments for exactly this exercise, including running the questionnaire against the tenant before the broker ever sees it.

Common questions

Frequently asked

Do Australian cyber insurers really check the answers on the questionnaire?
Increasingly, yes. Several underwriters run external scans of your domains and public-facing services before quoting, and every insurer checks after a claim, because the forensic investigation reveals exactly which controls were in place on the day of the incident. Assume every answer will eventually be verified.
Can an insurer refuse a claim if MFA was mostly rolled out but one account was missed?
It depends on materiality and on how the question was answered, but if the attacker entered through an account without MFA after the business declared full coverage, the insurer has strong grounds to reduce or deny the claim. Partial deployment answered as a plain "yes" is the classic denial scenario, so answer with precision and close the gaps first.
Is Essential Eight Maturity Level Two mandatory for cyber insurance in Australia?
No insurer mandates the Essential Eight by name for typical SME cover, and there is no legislated requirement. In practice the questionnaire asks for much of Maturity Level One or Two anyway, so targeting Level Two is the most efficient way to be able to answer honestly, and it may support better terms.
Does Microsoft 365 Business Premium cover most insurer requirements?
It covers the biggest ones: Entra ID Conditional Access for MFA, Defender for Business for EDR, and Intune for patching, compliance and admin restriction. You still need a separate immutable backup of Microsoft 365 data, a tested restore process, staff training and an incident response plan, since licensing alone satisfies nothing until the controls are configured and enforced.
What evidence should a business keep with its cyber insurance application?
Dated exports that prove each declared control: the Conditional Access policy list and sign-in logs showing MFA enforcement, the Defender device inventory showing EDR coverage, Intune compliance and update reports, the most recent backup restore test, and training completion records. Store them with the application so the position at binding is documented.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.