Your Cyber Insurer Is Already Asking About Essential Eight. Here's What That Means.

Your cyber insurance renewal is coming up. Last year, the questionnaire was two pages. This year it's twelve. Half the questions are about things you've never heard of. Application control. Privileged access management. Phishing-resistant MFA.

You're not imagining it. The bar has moved. And if you can't answer those questions, three things happen: your premium goes up, your coverage gets restricted, or your application gets declined entirely.

Here's what's actually going on, and what you can do about it before renewal.

Why Insurers Are Asking Harder Questions

The Australian cyber insurance market hit USD $467 million in 2025 and is projected to reach nearly $2 billion by 2034. That kind of growth attracts scrutiny. Insurers got burned paying out massive claims in 2020-2022 and spent the last two years tightening underwriting.

What changed:

AI-driven underwriting. Carriers now scan your public-facing assets before they even read your application. Exposed RDP ports, missing security headers, outdated SSL certificates. They know more about your external security posture than you think.

Specific control requirements. It's no longer "do you have antivirus?" It's "do you have EDR with 24/7 monitoring and 90-day log retention?" The questions got technical because the claims data showed which controls actually prevent breaches.

Verification at claims time. Even if you get through underwriting, insurers now verify your controls when you file a claim. If your application said "MFA on all accounts" and the breach happened through an account without MFA, expect a denial.

The Insurance Council of Australia called for an overhaul of cyber policy settings in September 2025, citing AI-driven automated attacks and the expanding cybersecurity obligations for businesses.

The Controls That Make or Break Your Application

Here are the five controls that come up on almost every insurer questionnaire. Miss one and you're looking at higher premiums or restricted coverage. Miss two and you might not get coverage at all.

1. Multi-Factor Authentication

Non-negotiable. Every insurer asks about it. The question isn't whether you have MFA. It's where you have it and what kind.

Insurers want MFA on:

• All remote access (VPN, RDP, cloud portals)
• All privileged/admin accounts
• All email accounts
• Backup system consoles

The catch: basic SMS codes are increasingly insufficient. Phishing-resistant MFA (security keys, Windows Hello for Business) is what underwriters want to see. This aligns directly with Essential Eight Maturity Level 2 requirements, which were updated in November 2023 to mandate phishing-resistant MFA.

2. Endpoint Detection and Response (EDR)

Traditional antivirus doesn't count anymore. Insurers want EDR with real-time threat detection, automated response, and centralised management across all devices.

The question on the form usually looks like: "Do you have endpoint detection and response deployed on all servers, workstations, and laptops? Is it centrally managed with 24/7 monitoring capability?"

Cost: $5-$15 per device per month. Deployment: 2-4 weeks for most SMEs.

3. Backups (Tested and Immutable)

Having backups isn't enough. Insurers want:

• Immutable or offline backups (can't be encrypted by ransomware)
• Regular recovery testing (not "we assume it works")
• The 3-2-1 rule: three copies, two media types, one offsite

Coalition's 2025 claims report found that 94% of ransomware attacks targeted backup systems. If your backups can be reached from the same network as your production systems, they're not backups. They're another target.

4. Patch Management

Insurers ask about patching cadence. Not "do you patch?" but "how fast?"

The Essential Eight standard:

• Critical vulnerabilities: within 48 hours
• Internet-facing applications: within two weeks
• Operating systems: within one month

If you're patching quarterly or "when we get around to it," that's a red flag on the application.

5. Incident Response Plan

Documented. Tested. Not "we'll figure it out when something happens."

Insurers want to see:

• A written plan with named roles and contact details
• Evidence the plan has been tested (tabletop exercise, simulated incident)
• Updated at least annually

What Happens When You Can't Answer the Questionnaire

Three outcomes, none of them good.

Scenario 1: Higher premiums. The insurer accepts you but prices in the risk. Businesses with strong security posture are seeing 5-15% premium reductions. Businesses without controls are seeing flat or rising rates while the rest of the market gets cheaper.

Scenario 2: Restricted coverage. The insurer issues a policy but excludes ransomware, limits the payout, or adds sub-limits that cap your coverage at a fraction of what you thought you were buying. Read the fine print.

Scenario 3: Declined. The insurer won't write the policy. This is increasingly common for businesses that can't demonstrate basic controls. And once one insurer declines you, others are more cautious.

The worst outcome isn't any of these. It's filing a claim and having it denied because the controls you said you had on the application weren't actually in place. The average cybercrime cost for Australian small businesses is over $80,000. A denied claim on top of a breach is the kind of thing that closes businesses.

Essential Eight Is the Answer to the Questionnaire

Here's the thing most businesses miss: the insurer's questionnaire and the Essential Eight framework are asking the same questions in different words.

Marsh Australia runs a formal "12 Key Controls Assessment" that explicitly maps to Essential Eight maturity levels and is used by underwriters to evaluate applications. Getting an Essential Eight assessment done at Maturity Level 2 simultaneously answers most of the insurer's questionnaire.

ML2 is the sweet spot. It satisfies what most cyber insurers expect without the complexity and cost of ML3 (which is designed for nation-state level threats). Only 22% of Australian federal government entities reached ML2 in 2025, so don't feel bad if you're not there yet.

The Numbers: Insurance vs Assessment

Let's put this in perspective.

A $6,000-$15,000 assessment is cheap insurance on your insurance. It makes the renewal easier, the premiums lower, and the claims defensible. And it's tax deductible this financial year if you complete it before June 30.

What the Underwriters Are Saying

The market is shifting. Three things to watch.

Emergence Insurance (Australia's specialist cyber insurer) updated its policy wording in late 2025. CEP-005.1 includes full-limit system failure cover and expanded criminal financial loss cover. They're making policies better, but they're also expecting more from applicants.

Coalition launched in Australia with AI-powered risk assessment. They scan your external attack surface before quoting. Weaknesses in your public-facing systems will show up in your quote, not just your questionnaire answers.

Cowbell entered the Australian market in 2025 backed by Zurich, targeting SMEs with their "Prime One" product. More options for SMEs is good. But every new entrant brings more sophisticated underwriting.

The trend is clear. Insurers are getting better at assessing risk. Businesses that can demonstrate their controls get better terms. Businesses that can't will pay more or get declined.

The Timeline

Your renewal date is the deadline. Work backwards from there.

If your renewal is more than 6 weeks away, you have time to do this properly. If it's less than 6 weeks, you can still get the assessment done and address the critical gaps. Even partial improvement is better than showing up with nothing.

Only 20% of Australian SMEs Have Cyber Insurance

The Insurance Council of Australia estimates that only 20% of small businesses have standalone cyber cover. The other 80% are either uninsured, relying on general business insurance that probably excludes cyber events, or don't know what their policy actually covers.

With mandatory ransomware payment reporting now in effect (since early 2026, $99,000 penalty for non-reporting), the OAIC running compliance sweeps of 60 entities, and cyber incident costs averaging over $80,000, going without coverage is an increasingly expensive gamble.

Getting the assessment done is step one. It tells you where you stand, gives you the documentation for the insurer, and creates a roadmap for fixing what's broken. Everything after that is easier.