Cyber insurance used to be simple. Answer a few questions, pay the premium, and you were covered. That era is over — and Perth businesses finding out the hard way at claim time are facing the consequences.
In 2026, cyber insurers across Australia have fundamentally changed how they assess risk. Where previously a small business could obtain meaningful cyber liability coverage with minimal technical scrutiny, today's policies come with detailed technical questionnaires, mandatory security controls, and explicit policy exclusions for businesses that can't demonstrate a basic security posture. The underwriting process now looks more like an IT audit than a paperwork exercise.
For Perth SMBs, this creates a real and practical problem. Businesses that haven't kept their IT environments current — no multi-factor authentication, no endpoint detection, unpatched systems, backups that haven't been tested — are being declined, having claims disputed, or discovering their policy doesn't cover the attack that just hit them. This guide explains exactly what insurers are checking, what controls you need in place, and how to make sure your IT environment is actually insurable before your next renewal.
The Australian Cyber Security Centre's 2024–25 Annual Cyber Threat Report recorded a 23% increase in cybercrime reports from small businesses. At the same time, insurers have tightened underwriting standards significantly — meaning more attacks are hitting Perth businesses precisely as insurers are making it harder to qualify for and collect on coverage. Getting your IT controls right isn't just good security practice. It's now a prerequisite for having insurance that will actually pay out.
How Cyber Insurance Underwriting Has Changed
Five years ago, a typical Australian cyber insurance application asked about revenue, number of employees, and whether you stored customer data. The technical controls section was brief and largely unverified. Premiums were relatively low and coverage was broad.
The ransomware wave that ran through 2021–2023 changed the economics of cyber insurance permanently. Insurers paid out claims at a scale that forced a complete rethink of how policies are written and underwritten. The result is a fundamentally different product for 2026:
- Longer, more technical questionnaires: Applications now routinely ask about specific controls — MFA coverage percentages, EDR deployment, backup frequency and testing, patch cadence, privileged access management, email filtering standards (DMARC/DKIM/SPF), and incident response plans. Some insurers use automated scanning tools to verify technical claims against your actual internet-facing infrastructure before issuing a quote.
- Coverage exclusions for missing controls: Policies now include specific exclusions for breaches that occur because a required control was absent. A ransomware attack via an unpatched vulnerability on software you disclosed as patched? Covered. A ransomware attack via an unpatched vulnerability on software you didn't disclose or that was end-of-life? Potentially excluded entirely.
- Mid-term policy cancellations: Insurers have begun cancelling policies mid-term when renewals or external scans reveal controls declared at inception are no longer in place. If you answered "yes" to MFA coverage at renewal but subsequently remove it, you may lose coverage without a refund.
- Claim dispute on disclosure grounds: The most painful outcome for Perth businesses — a claim is made after a breach, the insurer reviews the application, and determines that the business misrepresented its security posture. The claim is denied on material non-disclosure grounds, even if the misrepresentation was accidental.
The practical implication for Perth businesses is straightforward: you can't answer cyber insurance questions honestly and accurately unless your IT environment actually has the controls those questions ask about. That's where a managed IT services provider becomes genuinely valuable — not just to implement the controls, but to document and report on them in a way that satisfies insurer scrutiny.
The Mandatory Controls: What Insurers Require in 2026
The following controls have reached the point where the majority of Australian cyber insurers treat them as mandatory — either as a condition of coverage or as explicit policy requirements whose absence creates coverage gaps. If your Perth business cannot confirm each of these, you have work to do before your next renewal.
Emerging Requirements: What Insurers Are Beginning to Ask
Beyond the mandatory baseline above, the following controls have moved from "nice to have" to "standard question on application" for many insurers. Businesses applying for higher coverage limits or in higher-risk industries (healthcare, legal, financial services) are most likely to encounter these as near-requirements.
What Your IT Security Posture Means for Your Policy
Here's how a typical Perth SMB's cyber insurance situation plays out depending on which controls are in place at renewal time.
| Security Posture | Coverage Likely? | Premium Impact | Claim Risk |
|---|---|---|---|
| MFA ✓ | EDR ✓ | Tested Backup ✓ | Patching ✓ | No EoL software ✓ | ✓ Clean | Standard or reduced | Low |
| MFA ✓ | No EDR | Backup untested | Patching inconsistent | △ Conditional | Elevated; possible exclusions | Medium |
| No MFA | Legacy AV only | Backup not verified | EoL software present | ✕ Likely declined | Uninsurable or exclusion-heavy | Very High |
| Controls present but undocumented — "we have it but can't prove it" | △ At Risk | Policy issued but claim vulnerable | High at claim |
Many Perth businesses have implemented some security controls informally — MFA was turned on at some point, backups run automatically in the background, patches apply when Windows reminds you. The problem isn't that the controls don't exist. It's that there's no documentation proving they were operating at the time of an incident. Without evidence of patch compliance, backup testing logs, and MFA coverage reports, insurers have grounds to dispute claims even for businesses with reasonable security hygiene. This is precisely why a managed IT provider that generates monthly reporting is valuable — the documentation is the product, not just the controls.
Real Perth Business Scenarios
The following scenarios are illustrative of situations Managed ICT Solutions encounters when Perth businesses approach us ahead of renewals or after incidents.
Microsoft 365 in use across the team. MFA had been enabled on some accounts but not enforced — four staff members, including a director, had never set it up. No EDR deployed (Windows Defender default, unmanaged). Backup running to an on-site NAS — never tested, same network segment as workstations. Broker flagged the renewal application and insurer requested evidence of MFA coverage. Managed ICT Solutions engaged: Conditional Access policies enforced across all 15 accounts, SentinelOne EDR deployed, backup migrated to cloud with monthly restore test. Renewal processed at a modest premium increase rather than cancellation. Documentation pack provided to broker for insurer.
Ransomware attack via a phishing email. Business had a cyber policy. Insurer investigation found: no MFA on Microsoft 365 (the compromise vector), Windows Server 2016 in production with patches three months behind, backup appliance encrypted by the ransomware because it was on the same network segment. Insurer paid a reduced settlement citing inadequate security controls as partial non-disclosure. Business covered approximately 40% of actual recovery costs out of pocket. This is the scenario that a proactive cybersecurity assessment from Managed ICT Solutions would have identified and remediated before it became a claim dispute.
Best Practice clinical software, Microsoft 365 for email and administration. Managed ICT Solutions manages the full environment: MFA enforced via Conditional Access, Microsoft Defender for Endpoint deployed on all workstations and laptops, cloud backup with weekly restore testing and monthly report, DMARC/DKIM/SPF fully configured, server patched within 14 days of critical releases, incident response plan documented. Cyber insurance renewal: straightforward, no additional questionnaire follow-up. Premium flat year-on-year despite broader market increases. The practice manager receives monthly reporting that answers any insurer question directly.
CAD workstations running Windows 10 (approaching EoL), a Windows Server 2019 file server, and Microsoft 365 for communication. MFA on Microsoft 365 in place. EDR not deployed — legacy AV only. Backup to external hard drives rotated weekly by staff, never tested. No DMARC on company domain. Contacted Managed ICT Solutions three months before renewal: EDR deployed (four weeks), DMARC configured (one week), backup migrated to cloud with first restore test completed, Windows 10 workstation upgrade plan documented for insurer. Renewal processed with clean application. Windows 10 EoL upgrade scheduled for the following quarter.
Your Pre-Renewal IT Checklist: 12 Questions to Answer
Before your next cyber insurance renewal, work through these twelve questions. If you can't answer "yes" with evidence to each, you have a gap that needs to be addressed — ideally before the insurer asks about it.
Is MFA enforced on 100% of Microsoft 365 / Google Workspace accounts?
Not "available" or "most users have it" — enforced via Conditional Access or equivalent, with no exceptions for senior staff. Can you produce a report showing MFA coverage?
Is MFA enforced on all VPN and remote desktop (RDP/RDS) access?
Remote access is the highest-risk attack surface and the one insurers scrutinise most. RDP exposed to the internet without MFA is a near-automatic underwriting flag.
Do you have EDR deployed on all company-managed endpoints?
Confirm it's EDR (behavioural), not just antivirus (signature-based). Confirm it's centrally managed with alerting, not just installed and forgotten.
When did you last successfully restore data from backup?
Not "our backup runs nightly" — when was the last time you took a file or folder from the backup and confirmed it restored correctly? This should happen at least monthly for a clean insurer answer.
Is your backup stored offsite or in cloud storage separate from your production network?
A backup on a NAS that's connected to the same network as your workstations will be encrypted in a ransomware attack. The backup must be either in the cloud or on hardware that is physically isolated from your main network.
Are critical patches applied within 30 days of release?
Can you produce a patch compliance report? Do you know your current patch status right now — what's installed, what's pending, what's overdue? This is something your IT support provider should be reporting on monthly.
Are any operating systems or server software versions past end-of-life?
Check for: Windows 7, Windows Server 2008, Windows Server 2012/2012R2 (EoL October 2023), Exchange Server 2013 (EoL April 2023). Windows Server 2016 EoL is January 2027 — start planning now.
Is DMARC configured in enforcement mode on your email domain?
DMARC at p=quarantine or p=reject prevents attackers from spoofing your domain in phishing emails. Check your domain's DNS records — if there's no DMARC TXT record, your email domain is spoofable. Our IT consulting team can configure this in under an hour.
Do admin accounts have separate credentials from standard user accounts?
Domain administrator accounts and local admin accounts should have separate, strong passwords, ideally managed through a privileged access system or at minimum a dedicated password manager. Staff shouldn't be logging into email as domain admin.
Do you have a written incident response procedure?
It doesn't need to be a 50-page document. It needs to answer: who is the first call when an incident is detected, what are the immediate containment steps, who handles external communication (staff, clients, regulators), and what's the escalation path? This also covers your Privacy Act notification obligations.
Have staff received documented security awareness training in the last 12 months?
Not just a verbal briefing — documented completion records. The training should cover phishing identification, password hygiene, handling of sensitive data, and what to do if they think they've been compromised. Microsoft 365 Business Premium includes Defender for Office 365 Attack Simulation Training that satisfies this at no additional tooling cost.
Can you produce evidence of all the above — not just assert it?
This is the question most Perth businesses struggle with. The controls might exist, but can you produce the documentation? Patch compliance reports, MFA coverage exports, backup restore test logs, EDR deployment confirmation, DMARC verification screenshots. Evidence is what makes a claim defensible. Evidence is what makes a renewal straightforward. A managed IT provider generates this as a matter of course — it's a core part of what monthly reporting from Managed ICT Solutions provides.
Higher-Risk Industries: Additional Requirements for Perth Businesses
Perth businesses in certain industries face heightened insurer scrutiny due to the sensitivity of the data they hold. If your business falls into any of the following categories, expect your renewal application to include additional technical questions and potentially require additional controls.
Healthcare and Medical Practices
Clinical software containing patient records (Best Practice, Medical Director, Cliniko) is a high-value ransomware target. Insurers ask about data encryption at rest, clinical software patching status, remote access controls for clinical staff, and backup segmentation from clinical workstations. Our IT support for Perth medical practices is specifically designed around the controls that healthcare insurers require.
Legal Firms
Law firms hold confidential client data and trust account details — both highly attractive to attackers. Insurers ask about matter management software security (LEAP, Actionstep), email encryption for client communications, access controls for trust account systems, and incident response procedures that address legal professional privilege obligations. See our IT support for Perth law firms for the specific controls relevant to legal practice environments.
Financial Services and Accounting
APRA CPS 234 obligations for regulated entities, and Privacy Act requirements for accountants and financial advisors, create specific compliance requirements that insurers cross-reference against your application. Our IT support for Perth financial services businesses covers the specific control requirements for ASIC-regulated and APRA-regulated environments.
Education
Schools and registered training organisations hold student data and often run mixed networks with varying device types and user ages. Insurers look closely at student data protection, device management policies, and whether network segments containing sensitive data are properly isolated. See our IT support for Perth schools and education providers.
Why Managed IT Makes Cyber Insurance Work
The pattern we see consistently across Perth businesses is that the gap between "we think we're covered" and "we're actually insurable and claim-ready" comes down to two things: controls that are implemented and managed systematically, and documentation that proves it.
Ad-hoc IT management — whether that's an internal staff member who "does IT on the side" or a break-fix provider who shows up when things break — is structurally unable to produce either. Controls get implemented once and drift. Documentation doesn't exist. When a renewal questionnaire asks for a patch compliance report, there isn't one. When a claim investigator asks for MFA coverage evidence at the time of the breach, there's nothing to provide.
Monthly patch compliance reporting across all managed devices. MFA coverage verification and Conditional Access policy management. EDR deployment, management, and alert response. Cloud backup with monthly restore testing and a written RTO/RPO summary. DMARC, DKIM, and SPF configuration and monitoring. A documented incident response procedure appropriate to your business. And a monthly summary report that answers the key questions in your cyber insurance application with actual evidence. This is what makes your next renewal straightforward — and what makes a claim defensible if you ever need to make one.
For Perth businesses that haven't yet engaged a managed IT provider, or are on a break-fix arrangement that doesn't include proactive security management, the best time to make a change is at least two to three months before your next cyber insurance renewal. That gives enough runway to implement controls, generate the first round of compliance documentation, and give your broker a clean application to work with.
Frequently Asked Questions
What IT controls do Perth cyber insurers require in 2026?
The mandatory baseline in 2026 is: MFA on all remote access and cloud accounts, EDR (not just antivirus) on all managed devices, tested offsite backup with documented recovery procedures, patch management keeping systems current within 30 days of critical updates, no end-of-life operating systems in production, and email authentication standards (DMARC, DKIM, SPF) configured. Incident response documentation, security awareness training, and privileged access management are increasingly standard requirements on applications as well.
Can my Perth business be denied cyber insurance for poor IT security?
Yes — and it is happening more frequently at renewal time. Businesses without MFA, running end-of-life software, or unable to demonstrate basic controls are being declined, offered coverage with significant exclusions, or quoted uneconomic premiums. Insurers use technical questionnaires and in some cases automated domain scanning to verify what you declare on your application.
Does MFA alone satisfy cyber insurance requirements?
MFA is a required baseline, not a complete solution. Insurers treat it as the minimum starting point. A business with MFA but no EDR, untested backups, and unpatched systems will still face scrutiny. The current standard requires a layered security posture with documentation across multiple controls.
What happens if I have a cyber incident on end-of-life software?
Your insurer may deny the claim on grounds of non-disclosure or apply a coverage exclusion for that breach vector. Most applications now ask explicitly about unsupported software. If you answer yes (honestly) and the insurer issues the policy, you have some protection — but the premium will likely be higher and exclusions may apply. If you answer no (incorrectly or because you didn't check), the non-disclosure issue arises at claim time, which is the worst possible moment to discover the problem.
How can managed IT help with cyber insurance compliance?
A managed IT provider implements the controls, manages them continuously, and — critically — generates the documentation that proves they're working. Patch compliance reports, MFA coverage statistics, backup restore test logs, EDR deployment evidence. This documentation is what converts a renewal questionnaire from a stressful guessing exercise into a straightforward reporting task, and what makes a claim defensible if you ever need to make one.
Is Your Perth Business Cyber-Insurance Ready? Let's Find Out.
Managed ICT Solutions offers a free cyber insurance readiness assessment for Perth businesses — we'll check your MFA coverage, EDR deployment, backup status, patch compliance, email authentication, and end-of-life exposure, and give you a clear gap report with recommendations before your next renewal. No obligation. No jargon.
Book a Free Readiness Assessment Call (08) 9242 4511