Insurance brokers hold client money, financial records and personal data, and operate under an AFSL with real ASIC obligations. Good insurance broker IT support keeps your broking platform running, protects the trust account from email fraud, and gets the security controls in place that your own cyber insurer now expects.
General insurance brokers sit in an awkward spot. You are a small business by headcount but you carry the data risk of a financial institution and the payment-fraud exposure of a conveyancer. You handle premium funds in trust, you hold years of client financial and personal information, and you answer to ASIC for how the business is run. The IT underneath all of that is usually a couple of cloud platforms, Microsoft 365 and whatever the last broker set up. That gap is where the trouble starts.
What general insurance brokers actually run
Most Australian broking offices run on a dedicated broking platform rather than a generic CRM. The common ones are WinBEAT, Sunrise (and the SCTP transaction platform behind it), Insight, and the broader ebix stack that several of these sit within. These handle policy administration, quoting, the insurer transaction interface, client records, claims and the all-important trust-account and premium-funding reconciliation.
Some platforms are cloud-hosted; others still run as on-premises or hybrid installs with a database server in the office. Either way, the vendor secures the application, but you own the devices, the accounts, the network, the integrations and the backup of everything outside the platform. The recurring weak spots we find in broking offices: shared logins on reception machines, no multi-factor authentication on Microsoft 365, the broking database backed up to a USB drive that has not been tested in two years, and bank details for premium payments sitting in email threads anyone can read.
Cluster and network group requirements
Most independent brokers belong to a cluster or network group — Steadfast, AUB, Insurance Advisernet and similar. Membership is not just buying power; it increasingly comes with technology and security expectations. Network groups push standardised platforms, single sign-on into their portals, data feeds back to head office, and in some cases minimum cyber-security requirements you have to attest to. If you join or change groups, the IT migration — platform data, mailbox records, document history — needs to be planned, not improvised over a weekend. We treat that as a project with a rollback plan, because losing seven years of client correspondence mid-migration is not recoverable.
AFSL, ASIC and the obligations behind the IT
Holding an Australian Financial Services Licence (AFSL) brings general conduct obligations under the Corporations Act, and ASIC expects licensees to have adequate technological resources and risk-management systems. That is deliberately broad, but the practical reading is clear: you need systems that keep accurate records, protect client data, and let the business keep operating when something fails. ASIC’s own guidance on cyber resilience and outsourcing makes the point that you cannot contract away responsibility — if your IT or your software vendor has a problem, the obligation to your clients is still yours.
Record-keeping is the concrete part most brokers underestimate. You are expected to retain client files, advice records, policy documentation and trust-account records for years, and to be able to produce them. That makes backup and retention a compliance matter, not just an IT nicety. A broking database you cannot restore is a record-keeping failure waiting to be discovered at the worst time.
Client financial and personal data under the Privacy Act
Brokers hold a dense file on every client: names, addresses, dates of birth, financial details, claims history, sometimes health information for certain covers, and bank account details for premium payments. That is exactly the kind of personal and sensitive information the Privacy Act 1988 and the Australian Privacy Principles are built around.
If your business turns over more than $3 million you are squarely covered, and even smaller brokers are caught where they trade in personal information or provide certain services. Under the Notifiable Data Breaches scheme, a breach involving client data that is likely to cause serious harm must be assessed and reported to the Office of the Australian Information Commissioner (OAIC) and the affected clients. A compromised mailbox full of client financial records is precisely the scenario that scheme exists for — and for a broker, it is also a conversation with your AFSL obligations and your network group.
Business email compromise: the threat aimed straight at brokers
Of every risk on this page, this is the one that takes brokers down. Business email compromise (BEC) is where an attacker gets into a mailbox — usually through a phished password with no MFA — watches the email flow, and then redirects money. For a broker, the targets are obvious: premium payments from clients, refunds, and movements in and out of the trust account.
The classic version: a client emails about paying their premium, the attacker (sitting silently in your mailbox or theirs) replies with “updated” bank details, and the money lands in a mule account. By the time anyone notices, it is gone. The variant aimed at the trust account is worse, because the sums are larger and the reconciliation is monthly, so the theft can sit hidden for weeks.
The defences are unglamorous and they work:
- MFA on every mailbox, enforced, with no exceptions for the principal who finds it annoying. Most BEC starts with a password that worked because nothing else was in the way.
- Conditional access in Microsoft 365 to block sign-ins from unexpected countries and flag impossible-travel logins.
- A verbal verification rule for any change to payment details — phone the client on a known number, never the number in the email. This is policy, not technology, but it is the single most effective control.
- Email security that catches lookalike domains and external-sender warnings, plus mailbox-rule auditing so an attacker quietly forwarding your mail gets caught.
We go deeper on this in our guide to business email security, phishing and BEC. For a broker handling trust money, it is the first thing to fix.
Cyber insurance underwriting expectations — yes, for brokers too
There is a particular irony in brokers being underprepared for their own cyber-insurance application. The same underwriting questions you help clients answer now land on your desk, and they have hardened considerably. Insurers will not write a policy — or will price it punitively — without evidence of baseline controls.
The questions you can expect:
| Underwriting control | What insurers expect to see |
|---|
| Multi-factor authentication | MFA on email, remote access and admin accounts — increasingly a hard precondition |
| Backups | Regular, tested, with at least one copy isolated from the network |
| Email filtering | Advanced filtering against phishing and malicious attachments |
| Endpoint protection | Modern EDR, not just legacy antivirus |
| Patching | Operating systems and software kept current |
| Staff awareness | Phishing training and a documented incident response plan |
These map almost exactly onto the Australian Cyber Security Centre (ACSC) Essential Eight. If you implement the meaningful parts of the Essential Eight, you answer most of the underwriting questionnaire honestly and in the affirmative — which both gets you covered and lowers the premium. We cover this overlap for SMEs in our cyber insurance guide for Australian SMEs, and the controls themselves in our Essential Eight compliance work. Answering “yes” to a control you do not actually have is a fast way to have a claim declined, so it pays to make the answers true.
Document management and the renewals workflow
Broking runs on documents — schedules, certificates of currency, closings, endorsements, claims correspondence — and on a renewals cycle that never stops. The renewals workflow is where document management, email and the broking platform all have to work together, and where things fall through when the IT is loose.
A sound setup keeps client documents in the broking platform or a structured SharePoint library, not scattered across personal mailboxes and a Downloads folder. It means a broker who leaves does not take the only copy of a client’s history with them, and a renewal does not get missed because the reminder lived in one person’s inbox. If you run on Microsoft 365, getting Microsoft 365 configured properly — shared mailboxes, sensible SharePoint structure, retention policies — is what turns a pile of email into a system the next person can pick up. It also makes the record-keeping side of your AFSL obligations far easier to satisfy.
A Melbourne example
A general insurance broking firm in Hawthorn we work with — eight staff, member of a national cluster group, running WinBEAT and Microsoft 365 — came to us after a close call. A client emailed about paying a commercial property premium. What none of them knew was that the client’s mailbox had been compromised; the attacker replied from the real address with new bank details. The broker’s accounts person nearly paid it. What stopped her was an old habit of phoning to confirm anything over a few thousand dollars — and the new account did not match.
It rattled them, because the firm had no MFA on Microsoft 365, no conditional access, and a broking database backed up to a single drive plugged into the server. We rolled out MFA across every mailbox, conditional access to block overseas sign-ins, advanced email filtering with external-sender warnings, and proper monitored backups of both Microsoft 365 and the WinBEAT data with an isolated copy. We documented a payment-verification policy so the “phone to confirm” habit became a rule rather than one person’s caution. When their cyber-insurance renewal came round, they could answer the questionnaire truthfully for the first time, and the premium reflected it.
Frequently asked questions
Does the Privacy Act apply to a small insurance broker?
If you turn over more than $3 million a year, yes, directly. Smaller brokers can still be covered depending on what they do with personal information. Given the volume of client financial and personal data a broker holds, and the AFSL and ASIC obligations sitting alongside it, the sensible approach is to operate as though the Australian Privacy Principles apply regardless — the controls are the same ones your cyber insurer and network group already expect.
What is the biggest IT risk for a broking firm?
Business email compromise aimed at premium payments and the trust account. An attacker in a mailbox with no MFA can quietly redirect client money before anyone notices. MFA on every account, conditional access, and a strict phone-to-verify rule for any change of bank details are the controls that stop it.
Will better IT lower our cyber insurance premium?
Usually, yes. Insurers price on the controls you can evidence — MFA, tested backups, email filtering, endpoint protection and patching. Implementing the Essential Eight lets you answer the underwriting questionnaire honestly and in the affirmative, which improves both your ability to get covered and the price.
We’re switching cluster groups — what about the IT?
Treat it as a planned migration, not a weekend job. Platform data, mailbox records, document history and any single sign-on into the group’s portals all need to move cleanly, with a rollback position if something goes wrong. Losing years of client correspondence mid-migration is not recoverable, so it is worth doing methodically.
Getting it right without overspending
None of this is exotic. A broking firm does not need a bank’s security budget — it needs the basics done properly and kept that way: MFA on every account, conditional access, tested and isolated backups of both the broking platform and Microsoft 365, advanced email filtering, and a payment-verification rule that everyone actually follows. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when you need hands on the ground. Our IT support for professional services and cybersecurity services are built for exactly this kind of business. If your broking office is running on goodwill and no MFA, get in touch and we will tell you plainly what to fix first.
Most SME IT is unconsciously designed for the median 35 to 45-year-old user. That median user does not exist alone in the modern workplace, where four generations work alongside each other with very different expectations of technology. This is a Sunday read about designing IT that serves all your staff, not just the comfortable middle.
The four-generation reality
Walk into a typical Melbourne SME today and you will find a 22-year-old graduate, a 38-year-old manager, a 52-year-old senior operator, and a 64-year-old founder or long-tenured staff member all working in the same office. They use the same Microsoft 365 tenant, the same Wi-Fi, and the same helpdesk. They have completely different mental models of how technology is supposed to work, and most SME IT environments accidentally privilege one of those mental models over the others.
Since founding TechAssist in 2014, we have onboarded hundreds of SMEs and watched the generational mix shift through every one of them. The pattern in 2026 looks like this:
| Generation | Birth years | 2026 age range | Typical share of SME workforce |
|---|
| Gen Z | 1997-2012 | 14-29 | 20-30% |
| Millennial | 1981-1996 | 30-45 | 40-50% |
| Gen X | 1965-1980 | 46-61 | 20-30% |
| Boomer | 1946-1964 | 62-80 | 5-15% |
For a 60-staff Brunswick design agency we manage, the split is roughly 28% Gen Z, 52% Millennial, 16% Gen X, and 4% Boomer (the founder and one long-tenured operations director). For a 90-staff manufacturing business in Bayswater, the same split is 8% Gen Z, 31% Millennial, 44% Gen X, and 17% Boomer. Same Microsoft 365 tenant, completely different IT delivery requirements.
What each generation actually expects
These are generalisations, and individuals vary wildly within every group. They are still useful generalisations because the average matters when you are designing a helpdesk channel mix or a default permission set.
Gen Z
Gen Z grew up with iPads, Discord, TikTok, and friction-free consumer tech. Their reference point for ‘good software’ is whatever app they used last on their phone. Their expectations:
- Chat-first communication; phone calls feel intrusive
- Self-service everything; if there is a form, they will not fill it in
- Search-driven discovery rather than menu navigation
- Zero tolerance for slow interfaces or multi-step authentication friction
- Limited muscle memory for keyboard shortcuts or file system organisation
- Strong assumption that anything they need will be Googleable or YouTube-able
What this means in practice: Gen Z staff bounce off old-fashioned ticket portals, do not read documentation, and will quietly use a personal Notion or a personal ChatGPT account rather than ask IT for help. The risk is shadow IT and data leakage, not refusal to use tools.
Millennial
The bulk of most SME workforces. Grew up with the internet as it commercialised, formed their work habits with email and Slack, and have generally adapted to whatever tech their workplace put in front of them. Their expectations:
- Self-serve when possible, but happy to raise a ticket when needed
- Comfortable with both chat and email; tolerant of phone if the situation calls for it
- Strong adoption of new tools when the value is clear
- Reasonable security hygiene if it has been trained
- Power users of collaboration tools (Teams, SharePoint, project management)
Most SME IT is implicitly designed for this group. They are easy. They are also the group most likely to get over-prioritised because they make up the largest share of the helpdesk inbound.
Gen X
Gen X formed their work habits in the late 1990s and early 2000s, in the transition from paper to digital. They are often the most productive group with established workflows, and they are often the silent shadow IT contributors because they have been carrying habits from old systems forward for two decades. Their expectations:
- Get the job done; do not care about new shiny tools unless they obviously help
- Email-first, with chat as a tolerated overlay
- Strong file system mental model; may struggle with SharePoint’s metadata-first approach
- Quietly use personal Dropbox, Evernote, or other tools they brought with them from a previous job
- Will phone the helpdesk if email is taking too long
The shadow IT pattern in this generation is the biggest hidden risk in most SMEs. It is rarely malicious. It is almost always ‘I have been doing it this way since 2008 and nobody told me to stop’.
Boomer
Often the founder, often a director, often the most experienced person in the room with the strongest informal authority. Their expectations:
- Phone or in-person support, preferably from someone they know by name
- Email as the dominant communication channel
- Reluctance to adopt new tools without strong evidence of value
- Trust-based rather than process-based interaction with IT
- Will phone the helpdesk for a captcha that has stumped them, and will be frustrated if the helpdesk does not pick up immediately
The Boomer cohort is often the smallest by headcount and the largest by IT influence per person. A board member who cannot get into Teams before a meeting will create more helpdesk pressure in five minutes than 20 Millennials in a week.
Helpdesk channel design for a four-generation workplace
The default modern helpdesk is a ticket portal plus a chat channel, optimised for self-service. This works for Gen Z (chat) and Millennials (either) but actively fails Gen X and Boomers, who often prefer phone or walk-up. The solution is not to abandon chat; it is to offer all four channels with deliberate routing.
| Channel | Best for | SLA expectation | Watch for |
|---|
| Chat (Teams or web) | Gen Z, Millennials, quick questions | First response under 2 minutes | Conversation sprawl; need clear closure |
| Email or ticket portal | Millennials, Gen X, non-urgent issues | First response under 30 minutes | Email gets buried; ticket portal feels formal |
| Phone | Gen X (urgent), Boomers, P1 issues | Pick up under 30 seconds | Requires a real human; voicemail is failure |
| Walk-up or on-site | Boomers, complex hardware issues, executives | Same business day for Melbourne metro | Requires actual on-site presence |
Running all four channels properly is expensive if you do it yourself with a small internal team. It is one of the practical reasons SMEs move to an MSP arrangement. Our 13 Australian engineers cover all four channels from our 24/7 NOC in Tecoma and our 575 Bourke Street CBD office, with a contractual sub-15-minute P1 response and same-business-day on-site response across Melbourne metro. That coverage model is hard to replicate with internal staff under about 8 IT FTEs, which is well beyond most SMEs.
Training that does not condescend
The single fastest way to lose generational goodwill in IT training is to pitch every session at the lowest common denominator. A 24-year-old Gen Z staff member sitting through ‘how to attach a file to an email’ becomes a future shadow IT user because they have learned that IT is not where help comes from. A 64-year-old Boomer thrown into a fast-paced ‘we will assume you know Slack’ onboarding becomes a future helpdesk regular because they did not catch up.
Tiered training
The model that works in SMEs is tiered training with self-selection. Offer three tiers of every major training session: foundational (assumes no prior knowledge), standard (assumes baseline comfort with the tool category), and advanced (assumes daily use, focuses on power features). Let staff self-select.
Almost everyone correctly self-assesses. The exception is a small subset of Gen X and Boomer staff who under-select out of pride and then struggle. The fix is a gentle 1:1 follow-up two weeks later: “How is the new system going? Is there anything you would like a walkthrough on?”
Avoid the metaphor trap
Training that leans on ‘this is like an old filing cabinet’ or ‘this is like sending a letter’ lands badly with Gen Z, who have never used either. Training that uses TikTok metaphors lands badly with Boomers, who have never used TikTok. The safest training language is concrete and operational: “Click here, then here, this is what happens, this is how to undo it.” Skip the metaphors entirely.
Documentation that respects time
Documentation needs to exist in two forms: searchable short-form (Notion pages, SharePoint articles, KB entries) for Gen Z and Millennials, and printable PDF or single-page reference sheets for Gen X and Boomers who learn by reading offline. The same content, different formats. The cost of producing both is modest. The cost of having only one is a generation that does not engage with documentation.
Default-deny vs default-allow assumptions
Modern security thinking, and the zero trust security model in particular, is default-deny. Nothing works unless it has been explicitly allowed. This is the right approach from a security perspective. It is also the approach that generates the most generational friction.
Gen Z and Millennials, raised on consumer apps that just work, find default-deny baffling: “Why can I not just install this thing? It is free.” Gen X and Boomers, raised on workplaces where IT controlled everything, find default-deny familiar but resent the friction when they are trying to do their actual job.
The path through this is not to compromise on default-deny. It is to invest in the user experience around it.
- Make exception requests easy. A two-click ‘request this app’ button beats a five-field ticket form every time.
- Publish a list of pre-approved tools clearly visible to staff. Most exception requests are for tools that would have been approved if the staff member had known.
- Communicate decisions back. “Your request for Tool X was approved/denied because Y” closes the loop and trains future requests.
- Treat the catalogue of approved tools as living. Add to it monthly. Staff who see the catalogue growing will treat exception requests as legitimate, not as a fight.
This is the practical application layer of application control, which is the hardest Essential Eight strategy to implement well. It is also the area where generational expectations matter most, because Gen Z will go around the control if the friction is too high.
The ‘tech buddy’ pairing model
One of the highest-leverage interventions we have seen in SMEs is the formal tech buddy model. Every new starter is paired with a tenured staff member from a different generation as their day-to-day go-to for small tech questions. The tech buddy is not IT; they are someone who already knows how the business uses the tools.
Why it works
- Reduces helpdesk inbound for small questions (estimated 12-25% reduction in our deployments)
- Creates cross-generational relationships in a way that other onboarding rarely does
- Surfaces shadow IT habits early, before they become entrenched
- Distributes IT literacy across the workforce instead of concentrating it
How to set it up
Pair new Gen Z starters with a Millennial or Gen X buddy who can model how the business actually uses tools. Pair new Boomer or Gen X starters with a Millennial buddy who can explain the modern collaboration patterns. The asymmetry is deliberate. The cross-generational pairing is where the learning happens.
For a Richmond marketing agency we manage, the introduction of the tech buddy model coincided with a 19% reduction in ‘how do I do X’ helpdesk tickets in the following quarter. The remaining tickets were genuinely harder problems that needed an engineer rather than a peer.
Specific design choices that help
Authentication friction
MFA is non-negotiable for any modern SME. The friction of MFA falls most heavily on Boomers, who are most likely to forget to bring their phone, lose their authenticator, or be confused by a passwordless prompt. Mitigations:
- Use Microsoft Authenticator passwordless or Windows Hello for Business as the default, not SMS codes
- Set up FIDO2 security keys (Yubikey) for users who repeatedly struggle with mobile MFA
- Conditional access policies that reduce MFA prompts on managed devices within the trusted network
- A clear and well-staffed account recovery process for the inevitable ‘I have lost my phone’ moment
Communication channels
Do not collapse all internal communication to Slack or Teams chat. The over-collapse of channels privileges Gen Z and disadvantages everyone else. Keep email viable for substantive communication, keep Teams or Slack for quick coordination, and keep phone open for urgent or sensitive conversations. Generational comfort follows the channel.
Device choice
Gen Z and many Millennials prefer Apple hardware for personal use and increasingly for work. Gen X and Boomers are typically Windows-fluent and find macOS unfamiliar. Standardising on Windows for cost and management reasons is the right call for most SMEs (and aligns with our endpoint policy recommendations), but be explicit about it and explain why. Treating Mac requests as unreasonable rather than as a legitimate preference creates a generational rift.
The Boomer founder problem
Worth a section of its own because it is so common in Melbourne SMEs. The founder, often Boomer or older Gen X, has built the business over 20 to 40 years. They use technology pragmatically but have not personally driven a tech refresh in five years. They are often the bottleneck for any decision about new tools, and they often have the strongest informal control over IT spend.
Two failure modes:
- The ‘just make it work like the old one’ instruction. Migrations and modernisations get blocked because the founder cannot accept that new tools will not exactly replicate the old ones. Solution: explicit acknowledgement that the new tool is different, paired with a clear demonstration of what gets better. Avoid ‘training’ the founder; offer to sit with them for an hour and walk through the actual workflows they use.
- The ‘I do not need that’ veto. Security investments and modernisations get blocked because the founder personally does not feel the pain. Solution: frame the conversation in terms of business risk rather than personal benefit. The Privacy Act compliance work and the Essential Eight investments protect the business; they are not optional convenience features.
For a Mount Waverley accounting firm we work with, the founder (mid-60s) had been blocking a move from a self-hosted file server to OneDrive and SharePoint for three years. The breakthrough came not from another training session but from a one-hour walk-through where one of our senior engineers sat with him and showed him how his existing daily file workflow would work in the new environment. The migration completed within two months. The block had been about uncertainty, not opposition.
What this means for IT strategy
Designing IT for a multi-generational workplace is not about generational stereotyping. It is about acknowledging that the median user does not exist on their own and that a one-size-fits-all approach excludes more people than it includes. The practical implications:
- Run multiple support channels in parallel and route deliberately
- Invest in documentation in multiple formats
- Treat default-deny security as a UX problem to be solved, not a posture to be defended
- Pair new starters with cross-generational tech buddies
- Resist the temptation to over-collapse communication channels
- Make founder onboarding to new tools a personal walk-through, not a training session
This is the kind of operational design work that sits inside a properly run Melbourne MSP relationship. A good MSP brings the channel mix, the documentation discipline, and the engineering depth to make all of this work. A bad MSP gives you a ticket portal and expects everyone to use it.
If you want to talk through what this looks like for your specific generational mix and business model, get in touch. Every SME is a different blend, and the right IT delivery model depends on the actual blend you have.
Frequently Asked Questions
Are these generational patterns really that consistent?
On the average, yes. On the individual, no. We work with 64-year-old Gen X-borderline staff who out-skill 24-year-old Gen Z staff on technical fluency, and vice versa. The point is not to assume; the point is to design for the variance. If your IT delivery model only works for one generational profile, you are excluding the others.
Should we have generation-specific training tracks?
Skill-specific, yes. Generation-specific, no. Self-selecting tiered training is more dignified and more accurate than tracking people by age. Generation matters as a design input, not as a sorting category.
How do we handle Gen Z staff who refuse to use email?
You will lose this battle if you frame it as compliance. You will win it if you frame it as professional necessity. Most clients, vendors, and regulators still operate on email. Gen Z will use email for those interactions if you explain why and accept that internal communication can happen elsewhere. The compromise is appropriate.
Is the tech buddy model just unpaid IT support?
It is informal peer support, not unpaid IT support. The tech buddy answers small questions (where do I find the project template, how do I share this externally) that would otherwise become helpdesk tickets. They do not troubleshoot hardware failures or security incidents. Make the boundary clear and recognise the buddy’s time in their performance review.
How does multi-generational design intersect with security?
It intersects most heavily in the authentication and access control layers. The same MFA policy that is invisible to a Gen Z user creates daily friction for a Boomer who keeps misplacing their phone. The same default-deny posture that protects the business creates shadow IT pressure in Gen Z. Good security design accounts for both, not just one. This is why our cybersecurity practice spends as much time on user experience as on policy.
What is the single highest-leverage change we could make this quarter?
Introduce or strengthen the tech buddy model for new starters. It is cheap, it builds relationships, and it surfaces shadow IT patterns before they entrench. Most SMEs see meaningful reductions in helpdesk inbound within a quarter, and the cultural benefits outlast the operational ones.