Cyber insurance in 2026: the controls insurers now demand
Cyber insurers have tightened up. The security controls you now need to get covered — and to have a claim actually paid.
Cyber insurance is getting harder to obtain — and easier to have a claim denied. Here is what insurers now expect.
A few years ago, cyber insurance was easy to buy and asked few questions. That era is over. After heavy losses, insurers have tightened sharply: they now require evidence of specific security controls before they will offer cover, and they will deny a claim if you did not actually have the controls you said you did.
The controls insurers now expect
Insurer questionnaires vary, but the same core controls appear again and again:
Multi-factor authentication
on email, remote access and admin accounts. This is non-negotiable for most insurers now.
Endpoint detection and response (EDR)
modern protection on every device, not just basic antivirus.
Tested, secure backups
ideally immutable, so ransomware cannot destroy them, and proven to restore.
Patching
operating systems and software kept up to date.
Security awareness training
staff trained to recognise phishing.
Email filtering and access controls
to reduce the most common entry points.
These map closely to the Essential Eight — which is no coincidence.
The trap: saying yes when the answer is no
Here is the danger. The application asks "do you have MFA on all remote access?" and someone ticks yes to get the policy. Then a breach happens through an account without MFA — and the insurer, on investigation, denies the claim because the control was not actually in place. The questionnaire is not paperwork; it is the contract. Answering it accurately, and actually having the controls, is what makes your policy worth having.
The upside
The same controls that satisfy insurers also genuinely lower your risk and can reduce your premiums. Getting your security in order is not just about ticking the insurer's boxes — it is about not needing to claim in the first place. Strong security and good insurance reinforce each other.
How we help
We align your environment to the controls insurers ask about, complete or help you complete the security questionnaire accurately, and provide documentation proving the controls are in place — through our managed cybersecurity service. So your cover is valid and your risk is genuinely lower.
Frequently asked questions
What controls do cyber insurers require?
Commonly MFA, endpoint detection and response, tested and secure backups, patching, security awareness training, and email/access controls.
Can a cyber insurance claim be denied?
Yes — if the controls you declared on the application were not actually in place when the breach occurred. Accuracy on the questionnaire is essential.
Does good security lower my premiums?
Often, yes. The controls insurers require also reduce your risk, which can lower premiums and, more importantly, the chance of needing to claim.
Do these requirements match the Essential Eight?
Closely. Insurer requirements map well to the Essential Eight, so working to that baseline positions you well for cover.
Make sure your cover is valid
Book a free IT & Cyber Security Review and we will check your controls against what insurers expect. Call 1300 053 948.
Related Key IT services
More insights
Australia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →ScamsThe $25M deepfake phone call
AI voice cloning lets scammers fake your voice to authorise payments. Here's how Melbourne…
Read article →RansomwareWhy backups alone won't stop ransomware
Ransomware gangs delete backups and steal data before encrypting. Here's why backups alone aren't…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.