Cyber insurance renewal in 2026 is harder than it was three years ago. Premiums are higher, questionnaires are longer, exclusions are tighter, and underwriters are saying “no” more often. For a Melbourne SME that’s coming up to renewal, the difference between a smooth renewal and a painful one usually comes down to what was done in the 90 days before the renewal — not the policy work itself.
This post is the practical checklist we run for clients in the lead-up to a cyber insurance renewal. The questions on the questionnaire change year to year; the underlying expectations are stable.
What’s changed in cyber insurance 2024-2026
Three shifts have shaped the current renewal environment:
1. Higher minimum security expectations. Three years ago, “we have antivirus and a firewall” was acceptable. Now, MFA on every account, EDR with managed response, application allowlisting, immutable backups, and an incident response plan are baseline. Without these, you’re either uninsurable or paying a 30-50% premium loading.
2. More specific questions about controls. “Do you have MFA?” used to be yes/no. Now it’s “MFA on what specifically — email, VPN, admin accounts, all internet-facing services? What method — app, hardware token, SMS? What’s your fallback if a user loses their device?”
3. Documented exclusions are the rule. Most policies now exclude losses from incidents the insurer judges “preventable” if proper controls weren’t in place. Translation: if you said you had MFA on the questionnaire and you actually don’t, your claim is denied.
The questions you’ll be asked (with what good answers look like)
Q1: Do you require MFA for all remote access and email?
Good answer: “Yes, MFA is enforced via Conditional Access on M365 for every user including admins, with break-glass accounts using FIDO2 hardware tokens. Quarterly access reviews confirm MFA enrolment.” Our MFA implementation guide covers the rollout sequence.
Q2: What endpoint protection do you run?
Good answer: “Managed EDR on every device, with 24/7 SOC monitoring and automated containment. Average detection-to-containment under 30 minutes.” Without managed response, EDR is half a control. Insurers can tell.
Q3: Describe your patching cadence.
Good answer: “Critical patches within 48 hours, high within 14 days, monthly cadence for the rest. Patch reports reviewed monthly with documented exceptions.” Vague answers (“we patch regularly”) read as “we don’t actually have a process”.
Q4: What backup architecture do you use?
Good answer: “3-2-1-1-0 architecture: three copies, two media, one off-site, one immutable, automated verification with monthly test restores. M365 backed up via [vendor] with 90-day point-in-time restore. Recovery exercises run quarterly.” If you don’t have immutable backups in 2026, the questionnaire will flag it.
Q5: Do you have a written incident response plan and have you tested it?
Good answer: “Yes, written IR plan covering containment, eradication, recovery and lessons-learned phases. Named decision-makers across business hours and after-hours. Tabletop exercise every six months, last conducted [date].”
Q6: How often do staff complete cyber security training?
Good answer: “Annual mandatory training plus monthly simulated phishing exercises. Click-rate trending shows X% in current quarter, down from Y% in [date].”
Q7: What controls do you have around privileged access?
Good answer: “Standing local admin removed from all end users. Privileged access via dedicated admin accounts, MFA-enforced, used only for admin tasks. Privileged session logging enabled. Quarterly privileged access reviews.” See restricting admin privileges for the operational detail.
Q8: Application control — do you have it?
Good answer: “Yes, application allowlisting deployed across all endpoints in enforce mode. Approved application list reviewed monthly.” This is one of the harder ones to answer well without specialist tooling. Application control covers what’s involved.
Q9: Do you have any unsupported operating systems or applications in production?
Good answer: “No production Windows 7 or earlier. Two specialised manufacturing systems on Windows Server 2012 R2 with extended support contracts and network isolation; replacement scheduled for [date].” Honesty here matters — lying loses your claim later.
Q10: Have you experienced a security incident in the past 24 months?
Good answer: factual, with details of containment, lessons learned, and improvements implemented. Insurers value learning more than a clean record.
The 90-day renewal preparation checklist
Working backward from the renewal date:
- Day 90 — start. Pull the questionnaire from last year. Identify any answers that have changed (better or worse). Identify any new questions. Confirm what evidence you have for each answer.
- Day 75 — gap remediation begins. If you’ve identified gaps (we’ve never run an MFA audit, we don’t have application control, we’ve never tested backup), start the remediation projects. Most are 4-6 weeks of work.
- Day 60 — evidence pack assembly. Configuration screenshots. Patch reports. Backup verification logs. Training completion records. The evidence pack goes to the broker with the questionnaire.
- Day 45 — broker conversation. Walk the broker through your security improvements year-on-year. They’ll often ask the underwriter for a re-rate based on improved posture.
- Day 30 — questionnaire submitted. Submit early. Insurers are increasingly underwriting close to renewal date with limited room to negotiate. Earlier submission means more room to address pushback.
- Day 14 — quote review. Compare quotes. Push back on exclusions that don’t match your controls. The broker should be doing this; if they’re not, change broker.
- Day 0 — renewal complete. Document what worked and what didn’t for next year’s preparation.
The broker question
Brokers vary in cyber-insurance fluency. The good ones know what each underwriter values, can predict which questions will trip up a renewal, and will push back on exclusions. The not-so-good ones submit your questionnaire and email you the quotes when they arrive. The premium difference between a good and not-so-good broker is often $5,000-$15,000 per year on a typical Melbourne SME policy.
If your broker can’t tell you, off the top of their head, which insurers are appetising Australian SME risk in your industry, that’s a sign you should shop around.
What the controls actually cost
If you’re filling out the questionnaire and finding gaps, here’s what closing each gap typically costs for a Melbourne SME of 50 staff:
- MFA across all internet-facing services: usually free (M365 Business Premium and above) plus the engineering hours to roll out — call it $2,000-$5,000 one-time
- Managed EDR/MDR: $35-$80 per user per month ongoing
- Application allowlisting: $30-$60 per device per month ongoing, plus $5,000-$15,000 one-time for the deployment project
- 3-2-1-1-0 compliant backup: already covered above, $8,000-$25,000 per year
- Incident response plan and tabletop exercise: $4,000-$8,000 one-time, then annual refresh at $1,500-$3,000
- Annual training program with simulated phishing: $30-$80 per user per year
The savings on the insurance premium (and the avoided incident cost) usually pay back the controls within 12-24 months for most Melbourne SMEs.
Reference points
For Australian-wide cyber insurance context, our cyber insurance for Australian SMEs guide is the broader piece. Specific underwriter requirements are covered in cyber insurance requirements Australia. For the Essential Eight side that underpins most insurer questionnaires, see Essential Eight compliance. The managed-security operations layer is in managed security.
What to do next
If your renewal is within the next 90 days, start the gap analysis this week. We’ll review your last questionnaire and the controls you currently have in writing, identify the gaps, and price the remediation in a fixed-fee scope.
Request a renewal-readiness review — turnaround is 5 business days, fee is fixed regardless of how big the gaps turn out to be.
