Key Takeaways - Cyber Insurance Requirements 2026
  • Cyber insurers have fundamentally changed their underwriting criteria - controls that satisfied them in 2023 no longer meet the bar in 2026.
  • MFA, EDR, immutable backups, privileged access management, and a documented incident response plan are now baseline requirements, not differentiators.
  • Insurers are denying claims where businesses cannot demonstrate that attested controls were operational at the time of the incident.
  • Essential Eight Maturity Level 2 aligns closely with insurer requirements and provides a defensible, documented evidence base at renewal.
  • Businesses that review their security posture before renewal - not after a breach - are in a significantly stronger negotiating position on premium and cover.

Cyber insurance requirements in 2026 look nothing like they did three years ago. What was once a straightforward questionnaire has become a rigorous technical assessment - and businesses that haven't kept pace with their insurer's expectations are discovering it at the worst possible time: after a breach, when they need their policy to pay.

The cyber insurance market has been through a difficult few years. Ransomware losses pushed premiums sharply higher in 2021 and 2022. Insurers responded by tightening underwriting standards, introducing sub-limits and exclusions, and demanding evidence of specific controls before issuing or renewing cover. That trajectory has continued. In 2026, insurers are asking harder questions, conducting more technical validation, and holding businesses accountable for the answers they gave at renewal.

For mid-market businesses in Australia, this creates a real and immediate risk - not just of a higher premium, but of a policy that won't pay when you need it most.

Why the Market Changed - and Why It Won't Go Back

The core problem is straightforward: cyber claims have become more frequent and more expensive at the same time. Ransomware attacks now routinely result in losses that include not just remediation and ransom costs, but regulatory fines, legal liability, business interruption, and reputational damage. Insured losses across the industry climbed consistently through the early 2020s, and insurers had no choice but to respond.

The response was not simply to raise premiums - it was to change the risk profile of the businesses they would insure. Insurers hired technical underwriters, introduced detailed security questionnaires, and began requiring independent validation of controls. A business that could previously obtain cover by ticking boxes on a form must now demonstrate, with evidence, that those controls are operational.

⚠️

The attestation problem: Most cyber insurance policies require the policyholder to attest that specific security controls are in place. If those controls are absent or non-operational at the time of a claim, the insurer has grounds to deny the claim - even if the premium was paid and the policy appeared valid.

AI-powered threats have accelerated this dynamic further. The emergence of models like Claude Mythos - Anthropic's most capable AI, deployed exclusively within a closed defensive consortium after demonstrating autonomous vulnerability discovery and exploitation capabilities - has demonstrated that the attack surface facing any business is expanding rapidly. Insurers are pricing for an environment where threat actors have access to tools that can find and exploit weaknesses at a scale and speed that no human attacker could match.

The 7 Controls Insurers Are Now Treating as Non-Negotiable

Based on current underwriting criteria across the major cyber insurers operating in the Australian market, the following controls are now treated as baseline requirements. Absence of any one of them will typically result in either a declined application, a significant exclusion, or a materially higher premium.

  1. 01

    Multi-Factor Authentication - Everywhere That Matters

    MFA on email and remote access was the minimum bar two years ago. In 2026, insurers want MFA on all privileged accounts, all cloud administration consoles, all remote desktop and VPN access, and - increasingly - all user-facing SaaS applications. A business with MFA only on Microsoft 365 email, but not on its Azure admin portal, its payroll system, or its remote support tools, will not satisfy most underwriters.
  2. 02

    Endpoint Detection and Response (EDR) - Not Just Antivirus

    Traditional antivirus is not accepted as a substitute for EDR. Insurers require a solution that provides behavioural detection, real-time response capability, and centralised visibility across all endpoints - including servers. Microsoft Defender for Endpoint at the appropriate licensing tier, CrowdStrike, SentinelOne, and comparable solutions all satisfy this requirement. Legacy signature-based AV does not.
  3. 03

    Immutable, Tested, Offsite Backups

    Backups that can be encrypted by ransomware are not a recovery capability. Insurers now require backups that are immutable (cannot be modified or deleted by the production environment), stored separately from the primary environment, and tested regularly - with documented evidence of successful restoration tests. "We have backups" without evidence of testing is no longer sufficient.
  4. 04

    Privileged Access Management (PAM)

    The use of shared admin credentials, standing privileged access, or uncontrolled local administrator accounts is now a red flag for underwriters. Insurers expect privileged access to be time-limited, audited, and controlled - whether through a dedicated PAM solution or through features such as Microsoft Entra Privileged Identity Management for Azure and Microsoft 365 environments.
  5. 05

    Documented and Tested Incident Response Plan

    A policy document sitting in a SharePoint library is not an incident response plan. Insurers are asking whether the plan has been tested - through tabletop exercises or simulations - and whether staff in relevant roles know what to do in the first 72 hours of an incident. Boards are also increasingly expected to have been briefed on the plan.
  6. 06

    Patch Management - With Evidence

    Unpatched systems remain the most common initial access vector in ransomware incidents. Insurers now ask not just whether you have a patching programme, but how quickly critical patches are applied, and whether you have visibility across your entire environment. The Essential Eight requires critical patches applied within 48 hours from Maturity Level One onwards - a standard that aligns closely with insurer expectations.
  7. 07

    Security Awareness Training - Documented and Recent

    Phishing remains the most common entry point for attacks, and insurers know it. They expect regular, documented security awareness training for all staff - not a one-time induction video from three years ago. Phishing simulations with tracked results are increasingly requested as supporting evidence.

A policy that doesn't pay is worse than no policy - because it gives you false confidence while you carry the risk yourself.

- Robert Kirtley, Cyber Security Director · Virtuelle Group

What the Application Process Now Looks Like

Cyber insurance applications have become substantially more detailed. Where the questionnaire once ran to a single page, it now commonly spans 10 to 20 pages, with specific questions about each of the controls above, your incident history, your revenue by geography, your use of third-party suppliers, and your data classification practices.

For larger organisations or higher coverage limits, insurers are increasingly engaging third-party security firms to conduct technical validation - reviewing firewall configurations, Active Directory hygiene, patch status, and backup architecture independently of what the applicant has attested. This is not a box-ticking exercise. Discrepancies between attested controls and actual configurations have been used to void policies and deny claims.

🧩

The AI factor in underwriting: Several major insurers have begun incorporating threat intelligence about AI-powered attack tools into their underwriting models. Businesses in sectors that are attractive targets for AI-assisted attacks - financial services, healthcare, legal, and government supply chain - are facing additional scrutiny around their detection capabilities.

Free Discovery Call
Not sure if your controls meet current insurer requirements?
Our team conducts a plain-language security review that maps your current posture against what underwriters are asking for. 30 minutes, no obligation, no jargon. Available across Sydney, Melbourne, Singapore, and Chicago.
Book a Free Discovery Call

How Essential Eight Maturity Level 2 Aligns With Insurer Requirements

The Australian Signals Directorate's Essential Eight framework maps closely to what cyber insurers now require. Organisations that have achieved and documented Essential Eight Maturity Level 2 will satisfy the majority of underwriter criteria - and will have the evidence to prove it.

Control 01
Application Control
Blocks unauthorised executables
Insurer: Assessed
Control 02
Patch Applications
Critical patches within 48 hours
Insurer: Required
Control 03
Patch Operating Systems
Vulnerability management programme
Insurer: Required
Control 04
Restrict Admin Privileges
PAM & privileged access controls
Insurer: Required
Control 05
Multi-Factor Authentication
All remote & privileged access
Insurer: Critical
Control 06
Regular Backups
Immutable, tested, offsite
Insurer: Required
Control 07
Macro Settings
Office macro hardening
Insurer: Assessed
Control 08
User Application Hardening
Browser & app attack surface
Insurer: Assessed

The practical value of pursuing Essential Eight compliance is not just the security outcome - it is the documented evidence trail. At renewal, a business that can present an independent ML2 assessment report is in a fundamentally different position to one that can only point to internal IT records.

What Happens When a Claim Is Made

A cyber insurance claim triggers an immediate investigation. Insurers engage forensic firms to determine the root cause of the incident, the attack vector, and the timeline. They review logs, endpoint telemetry, access records, and backup systems. They also go back to the renewal questionnaire and compare what was attested with what the forensic evidence shows was actually in place.

Where discrepancies exist - and in our experience they often do - insurers have multiple options. They can deny the claim on the basis of material misrepresentation. They can apply policy exclusions for controls that were attested but not operational. Or they can offer a reduced settlement. None of these outcomes are theoretical. They are happening to Australian businesses right now.

⚠️

The incident response plan gap: One of the most common claim complications we see is the absence of a tested incident response plan. When a business cannot demonstrate that staff knew what to do in the first 72 hours - or that the board had been briefed on the plan - insurers treat this as a failure of due diligence. It does not automatically void a claim, but it creates negotiating room for the insurer to reduce the settlement.

20+
Years in Cybersecurity
E8
Essential Eight Specialists
24/7
MDR / SOC Coverage
100%
Your Data Stays With You

How to Prepare Before Your Next Renewal

The most effective time to address a gap in your cyber insurance posture is before renewal - not after an incident. The following steps represent a practical preparation programme for businesses approaching their next renewal date.

  • Pull your current policy and read the security attestation requirements - not just the coverage schedule
  • Conduct an honest gap analysis against the 7 controls listed above - involve your IT team or MSSP, not just management
  • Prioritise MFA and EDR first - these are the two controls most commonly cited in claim denials
  • Test your backups - run a documented restoration exercise and keep the evidence
  • Review and update your incident response plan - then run a tabletop exercise with your senior leadership team
  • Obtain an independent Essential Eight assessment - the report is your evidence base at renewal
  • Brief your board on your cyber risk posture before renewal - insurers are beginning to ask whether this has occurred

Who This Assessment Is For

The businesses most at risk from tightening cyber insurance requirements are those in the mid-market - typically 50 to 500 employees - who have grown their technology environment over time without a corresponding investment in security governance. They have cyber insurance because their contracts or board requires it. But they have not necessarily validated that their controls match what they attested at renewal.

This profile is common across financial services, legal, healthcare, professional services, and government supply chain - exactly the sectors that have been most targeted by ransomware and business email compromise over the past three years.

Organisations that have already deployed Microsoft 365 are often better positioned than they realise. The Microsoft Defender stack - Defender for Endpoint, Defender for Identity, and Defender for Office 365 - combined with Microsoft Purview for data governance and information protection, provides the foundational controls that insurers are looking for, at a licensing tier many businesses already hold. The gap is typically not the tooling. It is the configuration, the governance, and the documentation.

🏁

Our position: If you have Microsoft 365 Business Premium or Microsoft 365 E3/E5, you have the tools to meet most cyber insurer requirements. What most businesses are missing is the configuration, the evidence trail, and the governance documentation. That is exactly what our security practice addresses.

💼

Sharing this on LinkedIn? If your network includes CISOs, CFOs, or operations leaders who hold cyber insurance - this is worth forwarding. Most policyholders have not read their attestation requirements carefully. The ones who discover the gap after a claim are the ones who wish they had. Share this article →

VG
Virtuelle Group Security Practice
Microsoft-Certified MSSP · Sydney, Australia
Virtuelle Group is a Microsoft-certified Managed IT and Cybersecurity partner headquartered in Sydney with offices in Melbourne, Singapore, and Chicago. Our security practice specialises in Essential Eight assessments and uplift, Microsoft 365 security architecture, MDR/SOC services, cyber insurance readiness reviews, and incident response planning. We work with mid-market to enterprise clients across financial services, legal, healthcare, government, and professional services.