Cyber Insurance Requirements – What IT Controls Do Insurers Actually Want?

Cyber insurance requirements now affect core IT decisions across access control, backups, endpoint security, patching, and incident response. Insurers want proof that these controls are working in practice, not just described in a policy or renewal form.

For Sydney businesses, that means the strongest applications usually come from organisations that can show MFA enforcement, tested backups, controlled admin access, and a repeatable security process. This article explains what insurers commonly ask for, where applications fall over, and what to tighten before renewal.

For many Sydney businesses, that distinction matters more than the policy premium. If your application says one thing and your systems show another, you may face higher premiums, weaker terms, or a disputed claim after an incident. This article explains what insurers usually ask for, what stronger applicants do differently, and how to improve your position before renewal time.

Why Cyber Insurance Requirements Have Tightened

The cyber insurance market changed sharply between 2020 and 2023. Ransomware claims surged. Many affected businesses had weak controls in place, and insurers were left paying large claims. In response, premiums rose, coverage tightened, and underwriters started asking far more detailed questions about the technical controls behind each application.

Today, meaningful cyber insurance usually depends on being able to demonstrate specific controls, not just a general commitment to cyber security. Insurers use questionnaires, interviews, and external scanning tools to verify what businesses say. If your form says MFA is enforced across remote access, but a legacy system still allows access without it, that mismatch can become a serious problem during a claim.

What Insurers Usually Want to See

Most insurers are looking for the same core controls. The exact wording changes between providers, but the pattern is consistent.

• Multi-factor authentication (MFA). Usually required for email, remote access, and privileged accounts.
• Endpoint detection and response (EDR). Insurers now expect more than basic antivirus.
• Email security. Filtering, anti-spoofing, and link scanning all matter.
• Patch management. Security updates need to be applied systematically and quickly.
• Backup and recovery. Backups must be separated, tested, and usable after a ransomware event.
• Privileged access management. Admin access should be controlled, separate, and logged.
• Security awareness training. Staff need regular guidance on phishing and suspicious activity.
• Incident response planning. Insurers want to know who responds, who decides, and how systems are isolated.

Why These Controls Matter to Insurers

Insurers are not asking for these controls to be difficult. They are asking because these are the controls that most often reduce claim frequency and claim size.

MFA lowers the chance that a stolen password turns into a full account compromise. EDR improves the odds of catching an attack before it spreads. Email security reduces the number of phishing attacks that reach users. Patching closes known vulnerabilities before attackers exploit them. Backups give businesses a way to recover without paying a ransom.

When a business lacks several of these controls, insurers see a higher likelihood of a successful attack and a more expensive recovery. That is why weak controls often lead to higher premiums, more exclusions, or a refusal to insure at all.

What Stronger Applicants Do Better

Businesses that attract better cyber insurance terms usually go beyond the bare minimum. They can show that controls are not only deployed, but actively managed.

• Application control or whitelisting. Prevents unauthorised software from running.
• DNS filtering. Blocks access to known malicious destinations.
• Password management. Helps enforce strong, unique credentials across systems.
• Network segmentation. Limits the spread of an attack across the environment.
• Vulnerability scanning. Finds weaknesses before attackers do.

These controls do not guarantee lower premiums in every case, but they often strengthen your risk profile and improve the insurer’s confidence in your environment.

The Insurance Questionnaire Problem

Most cyber insurance questionnaires are harder than they look. They are often completed by business owners, managers, or finance staff who do not have direct visibility into the technical detail behind each answer.

Questions about whether EDR is deployed across all endpoints, whether DMARC is in enforcement mode, or whether backups are isolated cannot be answered accurately by guessing. If the answers are wrong, even by accident, the risk shows up when a claim is made, not when the form is submitted.

That is why it makes sense to complete these questionnaires with your IT provider. A good provider can confirm what is actually in place, gather evidence, and identify any gaps before the insurer does.

What Happens When the Application Does Not Match Reality

This is the part most businesses underestimate. A policy obtained on the basis of overstated controls may not respond the way you expect when a claim is lodged. Insurers investigate what happened, what controls were in place at the time, and whether the application was materially accurate.

Imagine a business that states MFA is enforced on all remote access. On paper, that sounds compliant. In practice, one old VPN or shared remote desktop session without MFA may be enough to create a dispute if that access path was used in an incident.

The lesson is not simply to answer cautiously. The lesson is to make sure the controls are genuinely in place before you answer at all. In that sense, the questionnaire is useful. It exposes security gaps that can carry both operational risk and financial consequences.

How Milnsbridge Helps Sydney Businesses Meet Insurer Requirements

Most of the controls cyber insurers ask for are already part of a well-run managed IT environment. The Milnsbridge Growth plan at $99 per seat per month includes SentinelOne EDR on managed endpoints, cloud-hosted email security, 24/7 monitoring, structured patch management, cyber awareness training, DNS filtering through DNSFilter, and password management through Keeper.

For businesses that need to go further, we also support Duo MFA enforcement across user accounts and remote access, ThreatLocker application control, cloud backup, disaster recovery, and Essential Eight uplift work for organisations aiming at stronger formal maturity.

We also help with the insurance process itself. That includes reviewing questionnaires against your actual control state, identifying gaps before submission, and providing supporting documentation where insurers ask for evidence.

Adrian Weir founded Milnsbridge in 2002 after three decades in senior IT roles at Telstra, Citibank, and Unilever. Our 4.9-star Google rating across 99 reviews reflects more than two decades of consistent delivery to Sydney businesses. We work with organisations from 10 to 200 seats on straightforward 12-month agreements.

If you are renewing cyber insurance, have been declined coverage, or want to see how your current IT environment measures up, contact Milnsbridge. You can also review our per-seat pricing, explore our managed IT services, or see how our cyber security services help businesses meet cyber insurance requirements.