Keegan Crage | Owner, TechBrain AU — ISO 27001 certified, cyber security & AI governance partner.

getty
A mid-market business owner forwards the cyber insurance renewal to their IT manager and asks how long it will take to fill out. Last year's application contained approximately 40 questions, and this year's contains a whopping 73, including 14 subquestions for the multifactor authentication (MFA) section. One of the questions in that section is whether MFA is enforced for admin logins to the backup repository.
The IT manager doesn't know, and it's not their fault. It's simply something no one thought of asking last year. That's the pace of change.
This occurred for a client of ours recently when a rather standard item in their application for cyber insurance renewal stopped asking whether a particular control existed at all and instead asked where that control was enabled. It turned out that all the MFA controls for admin access were required to be enabled for the organization's email, remote access, directory services, network, servers and the organization's backups. That one item opened up a huge chasm between what the organization thought they had and what was actually configured and in operation.
Those answers will have a lot of weight this year, as they'll essentially become the terms and conditions of the insurance policy. About one-third of the claims denied in 2025 came down to controls that were marked as present on the application but not actually in place.
Travelers v. ICS is the seminal case people refer to here: An insured company had MFA enabled on the network but not on the server that was breached. Travelers and ICS agreed to have the court rescind the policy and declare it "null and void, from its inception."
In February 2026, the Federal Court of Australia imposed an AUD 2.5 million civil penalty on a financial services company for failing to operationally deploy two well-written cyber security policies that had been sitting in SharePoint. It was the first Federal Court penalty for cyber failures under the general obligations of an Australian Financial Services Licence (AFSL) holder.
And the Australian Cyber Security Act 2024 requires ransomware payments to be reported within 72 hours, with enforcement stepping up from January 2026.
Underwriters Know What Brokers Don't
Increasingly, underwriters are relying on "outside-in scans" according to Fintech Global. The goal is to find intrusion entry points via externally facing services. These will be reviewed alongside a traditional insurance application to form a view on a client’s cyber risk profile. Vulnerability scanning tools can identify network issues (e.g., a misconfigured firewall or an unauthorized device), application issues (e.g., security flaws or an SQL injection), system issues (e.g., outdated software or missing patches) or cloud issues (e.g., incorrect identity or access controls).
What An Evidence-Backed Posture Should Look Like
Most of the mid-market companies I work with are currently working through implementing ISO 27001 or have completed the Essential Eight, which is a set of eight baseline strategies recommended by the Australian Signals Directorate (ASD) to help organizations protect against cyberthreats. Many of those controls already form part of the organization's information security management system (ISMS). ISMS is a structured set of policies, processes and procedures an organization uses to manage the security of its information in a systematic, ongoing way. There's even an ISO/IEC standard—ISO/IEC 27102—that describes how an ISMS can be used as part of the underwriting process for cyber insurance.
Where organizations get stuck is with the operational telemetry. What underwriters are looking for is audit-grade evidence of an organization's posture. One of the biggest changes between an old cyber insurance application and a 2026 version is the shift from self-attestation to verifiable evidence of the state of your systems.
An evidence-based posture isn't something you can immediately purchase. A coverage report outlining where MFA is enabled for email, remote access, directory services, the network, servers and the admin console for the organization's backup repository is a good starting point, as this is the surface that typically fails. Next is the endpoint detection and response (EDR) application's coverage report, comparing the form to the actual endpoint coverage.
This is followed by the immutability flag on the organization's backup software, ensuring that no domain admin credentials can log into the admin console for the organization's backup repository. A security information and event management (SIEM) system storing at least 90 days of logs and an incident response plan that has gone through a tabletop test within the last 12 months complete the picture.
Conclusion
When a board member asks me for guidance at renewal time, the answer is always the same: Only put forward what you can provide evidence of today, not what you believe is in place. The cost of a denied claim or a rescinded policy is huge, and it lands at the worst possible time.
The market is changing fast. Underwriters now want real-time information about your security operation, and a growing number of regulators no longer treat paper-based evidence of controls as enough. Mid-market firms would be wise to build up an evidence layer this year; they'll go into their 2027 renewal on far better terms than the ones who do nothing and find out the cost at claim time.
The questionnaire is really the controls roadmap. Treat it as one.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

1 hour ago
1













English (US)