Australian cyber insurers in 2026 expect multi-factor authentication on all email and remote access, endpoint detection and response on every device, tested backups an attacker cannot delete, a defined patching cadence, restricted admin rights, and regular staff training. Claims are most often denied because a questionnaire said yes to a control that was not actually enforced.
The renewal questionnaire has changed character. A few years ago it was a tick-and-flick form; today it is a technical audit in disguise, and several underwriters supplement it with external scanning of your domains before they quote. Answers that used to slide through now get tested, either at underwriting or, far more painfully, after a breach when the forensic report lands on the claims assessor's desk. This guide covers what insurers ask for, why claims fail, and how to answer honestly from a Microsoft 365 tenant.
What controls do cyber insurers require?
Wording varies between insurers, but Australian renewal questionnaires in 2026 converge on the same baseline. If any item below is missing, expect a declined application, a ransomware sub-limit, a higher excess, or a loaded premium. Treat this as the checklist:
- MFA on all email accounts, including shared mailboxes and executives who asked for an exemption. Partial coverage is treated as no coverage.
- MFA on all remote access: VPN, remote desktop, remote management tools, and cloud admin consoles.
- MFA on all privileged and administrator accounts, with no legacy authentication paths that bypass it.
- Endpoint detection and response (EDR) on every workstation and server, not traditional signature antivirus and not "most" devices.
- Backups that are offline, immutable or otherwise separated from production credentials, with a documented restore test performed recently, because an untested backup does not count.
- A defined patching cadence: critical and exploited vulnerabilities remediated within a short, stated window (commonly 48 hours to two weeks, depending on severity), and no unsupported operating systems in production.
- Restricted administrative privileges: day-to-day work on standard accounts, admin rights granted to few people and reviewed regularly.
- Security awareness training for staff on a recurring schedule, often with phishing simulation.
- Email authentication (SPF, DKIM, DMARC) and filtering, plus an incident response plan, increasingly asked at higher cover levels.
Note what all of these have in common: they are verifiable. The questionnaire is no longer asking whether you believe you are secure. It is asking for facts a forensic investigator could check after a claim.
Why do cyber insurance claims get denied?
Cyber policies pay most of the time, but the denials follow a consistent pattern, and almost all of it is avoidable. The recurring causes, roughly in order of how often they bite:
- 1Misrepresented controls on the application. The business declared MFA, EDR or tested backups; the post-incident forensics showed otherwise. Because the answers formed part of the contract, insurers can reduce or refuse the claim, and in serious cases void the policy entirely. In one widely cited overseas court decision, an insurer rescinded a policy after the insured overstated its MFA coverage, and that reasoning is now standard claims practice.
- 2MFA declared but not actually enforced. This is the single most common gap: MFA was "rolled out" but legacy authentication was still open, a break-glass process was abused as a daily bypass, or a cohort of users was excluded. If the attacker walked in through an account without MFA, the declaration was false in the way that mattered.
- 3Controls that decayed after binding. The environment was compliant at application time, then a new server shipped without EDR, a backup job silently failed for months, or an exemption granted "temporarily" became permanent. Most policies require the declared controls to be maintained, not merely installed once.
- 4Late notification and off-script response. Policies impose notification windows and require insurer consent before engaging responders or paying costs. Businesses that spent a week investigating quietly, or paid a ransom without consent, have had otherwise valid claims cut down.
- 5Exclusions doing what exclusions do. Unsupported software in production, known-but-unpatched exploited vulnerabilities, and losses falling under war or infrastructure carve-outs. Less common than misrepresentation, but harder to argue with.
How does the Essential Eight map to insurer questionnaires?
Australian insurers rarely name the Essential Eight on the form, but the questionnaire is substantially the same list wearing a different hat. The ACSC's eight mitigation strategies cover patching applications and operating systems, MFA, restricting admin privileges, application control, restricting Microsoft Office macros, user application hardening, and regular backups. Line those up against the checklist above and the overlap is obvious: MFA, patch cadence, admin restriction and tested backups appear on both lists almost word for word.
That makes the Essential Eight maturity model a practical preparation tool. Maturity Level One roughly satisfies a basic SME questionnaire. Maturity Level Two, which requires controls to be enforced consistently and verified rather than merely present, is the better target because it matches how claims assessors think: not "is it deployed" but "was it working on every account and every endpoint on the day of the incident". Frontrow runs its own tenant at Essential Eight Maturity Level Two, and the honest lesson from doing so is that the gap between "we have MFA" and "MFA is enforced with no exceptions and we can prove it" is where most of the work lives.
The strategies the Essential Eight includes that insurers ask about less often, application control and macro restriction in particular, are still worth doing: they reduce the chance you ever test the policy.
What does this look like in Microsoft 365?
For the majority of Australian SMEs and mid-market businesses running Microsoft 365, every item on the questionnaire maps to a control that already exists in the licensing they hold or can add for a modest per-user amount. The mapping:
- MFA on email and cloud access: Microsoft Entra ID Conditional Access policies requiring MFA for all users and all apps, with legacy authentication blocked so nothing sidesteps the policy. Report-only mode lets you confirm coverage before enforcing.
- MFA on privileged accounts: Conditional Access targeting admin roles with phishing-resistant methods, plus Privileged Identity Management for just-in-time admin where licensing allows.
- EDR on every endpoint: Microsoft Defender for Business (included in Microsoft 365 Business Premium) or Microsoft Defender for Endpoint, deployed through Intune so a machine cannot be enrolled without it.
- Patching cadence: Intune update rings and Autopatch for Windows, with compliance policies that block non-compliant or outdated devices from accessing company data. The compliance report doubles as evidence for the questionnaire.
- Restricted admin rights: standard user accounts enforced through Intune, separate cloud-only admin accounts, and role assignments reviewed through Entra access reviews.
- Backups and staff training: Microsoft 365 retention alone is not a backup for questionnaire purposes; a separate immutable backup of Exchange, SharePoint and OneDrive is what insurers mean. Attack simulation training in Defender covers the phishing-simulation question.
What should you do before your next renewal?
Work backwards from the questionnaire. Get a copy early, answer it against evidence rather than memory, and fix the gaps before submitting rather than shading the answers. Export the Conditional Access policy report, the Defender device coverage list, the Intune compliance summary and the latest restore-test record, and file them with the application. If the environment drifts during the policy period, fix the drift or tell the broker. A business that can answer every question with a screenshot is in a strong position twice over: at underwriting, where honest strong answers earn better terms, and at claim time, where the evidence is already assembled. Frontrow prepares Microsoft 365 environments for exactly this exercise, including running the questionnaire against the tenant before the broker ever sees it.