Cyber insurance requirements now reach deep into day-to-day IT operations. Insurers increasingly expect evidence of MFA, backups, endpoint protection, patch cadence, and tested incident response before offering strong terms. Are your controls truly in place, or only written in a policy document?
Why Cyber Insurance Requirements Have Tightened
The cyber insurance market changed significantly between 2020 and 2023. A wave of ransomware claims – many targeting businesses that were not well-protected and where insurers paid out large sums – caused underwriters to reconsider what they were actually insuring. Premiums increased sharply. Coverage terms tightened. And insurers started asking much more specific questions about the technical controls businesses had in place before agreeing to offer coverage.
The result is that obtaining meaningful cyber insurance in 2026 requires demonstrating that your business has specific security controls in place – not just affirming that you “take security seriously.” Insurers have questionnaires. Some send assessors. Many use external scanning tools to verify claims independently. If your self-assessment says you have MFA enforced across all remote access but your systems show otherwise, that creates a coverage dispute you do not want to be having after an incident.
The Controls Insurers Consistently Ask About
Multi-factor authentication (MFA). This is the single most consistently required control across the cyber insurance market. Most insurers now require MFA on email (particularly Microsoft 365 and Google Workspace), remote access (VPN, RDP, remote desktop solutions), and privileged accounts. Some require MFA across all user accounts without exception. Businesses without MFA enforced on at least email and remote access will find meaningful coverage either unavailable or prohibitively priced.
Endpoint detection and response (EDR). Basic antivirus is no longer sufficient to satisfy most insurers. EDR tools that actively monitor endpoint behaviour, detect suspicious activity, and can isolate compromised devices are the new baseline. Insurers may ask specifically what EDR solution is deployed, whether it covers all endpoints, and whether it is actively monitored. Consumer-grade or unmanaged antivirus will not satisfy this requirement.
Email security. Phishing remains the most common initial attack vector in business cyber incidents. Insurers want to know that inbound email is filtered for malicious content, that anti-spoofing controls (SPF, DKIM, DMARC) are configured, and that links in emails are scanned before users click them. A business with no email security beyond what Microsoft or Google includes by default is carrying a risk that insurers price accordingly.
Patch management. Unpatched vulnerabilities are consistently among the top causes of successful cyber incidents. Insurers ask about your patching process: how frequently are security patches applied, how long does a critical patch take to deploy after release, and do you have documented evidence of patch compliance? Ad-hoc or user-driven patching does not satisfy this requirement. Systematic, documented patch management does.
Backup and recovery. Insurers want to know that you can recover from a ransomware attack without paying the ransom – and without losing months of data. They ask about backup frequency, whether backups are stored offsite or in a separate cloud environment, whether backups are tested regularly, and what your recovery time objective is. Backups that are connected to your primary network and could be encrypted along with everything else in a ransomware event do not satisfy this requirement.
Privileged access management. Admin credentials are high-value targets. Insurers ask whether privileged accounts are separate from day-to-day user accounts, whether admin access is tightly controlled and logged, and whether credentials are managed systematically rather than shared informally. A business where multiple staff share an admin password will not score well on this question.
Security awareness training. Human error remains a significant factor in most cyber incidents. Insurers ask whether staff receive regular training on recognising phishing, handling suspicious links and attachments, and reporting potential incidents. Annual awareness sessions are increasingly the minimum – ongoing, regular training is preferred.
Incident response plan. Insurers want to know that you have a documented plan for what happens when a cyber incident occurs. Who is notified? Who makes decisions? How are affected systems isolated? Who handles communications? A documented, tested incident response plan demonstrates organisational maturity and reduces the insurer’s exposure by shortening incident response time.
Controls That Attract Better Premiums
Beyond the baseline requirements, businesses with additional controls in place typically attract better terms and lower premiums:
- Application control / whitelisting – preventing unauthorised software from running, which significantly reduces ransomware exposure
- DNS filtering – blocking access to known malicious sites at the network level
- Password management – enforcing unique, strong credentials across all systems rather than relying on individual staff to manage passwords securely
- Network segmentation – limiting the blast radius of a compromise by preventing lateral movement across the entire network
- Vulnerability scanning – regular scanning of your environment to identify and address vulnerabilities before attackers find them
The Insurance Questionnaire Problem
Most cyber insurance questionnaires are not designed to be completed by business owners without IT expertise. Questions about “whether EDR is deployed and actively monitored across 100% of endpoints” or “whether DMARC is configured in enforcement mode” require someone with technical knowledge to answer accurately. Answering incorrectly – even inadvertently – can void your coverage when you need it most.
Working through an insurance questionnaire with your managed IT provider is the right approach. They know what controls are in place, can provide documentation where required, and can identify gaps before you submit – rather than discovering them during a claims investigation.
What Happens If Your Controls Do Not Match Your Application
This is the scenario that matters most, and it is more common than businesses realise. A cyber insurance policy that was obtained by overstating security controls – even unintentionally – may not pay out when a claim is made. Insurers investigate the circumstances of incidents, including whether the controls described on the application were actually in place at the time of the event. If there is a material discrepancy, the insurer has grounds to deny or reduce the claim.
In practical terms: a business that ticks “MFA enforced on all remote access” on the renewal form but has not actually deployed MFA on a legacy VPN or a shared RDP session may find their ransomware claim disputed. The policy wording is specific. The application is a legal document.
This is not an argument for declining to answer questions accurately – it is an argument for making sure the controls are actually in place before you answer. The insurance questionnaire is a useful forcing function: it identifies gaps in your security posture that have real financial consequences if not addressed.
How Milnsbridge Helps Sydney Businesses Meet Insurer Requirements
Most of the controls cyber insurers require are delivered by a well-structured managed IT plan. The Milnsbridge Growth plan at $99 per seat per month includes SentinelOne EDR on all managed endpoints, cloud-hosted email security, 24/7 monitoring, systematic patch management, cyber awareness training, DNS filtering (DNSFilter), and password management (Keeper). These directly address the core requirements most insurers focus on.
Available as add-ons: Duo MFA enforcement across all user accounts and remote access, ThreatLocker application control for ransomware prevention, cloud backup ($149 per month per server, 500GB included) and disaster recovery ($229 per month per server) for demonstrable backup and recovery capability, and Essential Eight uplift assessment for businesses targeting a formal security maturity level.
We can also work with you directly on the insurance questionnaire process – reviewing questions against your actual control state, identifying gaps before submission, and providing documentation your insurer may request.
Adrian Weir founded Milnsbridge in 2002 after three decades in senior IT roles at Telstra, Citibank, and Unilever. Our 4.9-star Google rating across 99 reviews reflects more than two decades of consistent delivery to Sydney businesses. We operate on straightforward 12-month agreements with a 10-seat minimum, serving organisations from 10 to 200 seats.
If you are renewing cyber insurance, have been declined coverage, or want to understand how your current IT environment measures up against insurer requirements, contact Milnsbridge. You can also review our per-seat pricing, explore our managed IT services, or see how our cyber security services align with what insurers actually want.
