Cyber insurance used to be a tick-box. Fill in a short form, pay the premium, done. Those days are over - and the questions on today's forms have real teeth.

As cyber claims have soared, insurers have gotten a lot choosier about who they cover and on what terms. The application forms are longer, the questions are more technical, and - crucially - the answers you give become part of the contract. Increasingly, those questions map straight onto the Essential Eight.

What insurers are really asking

Strip away the wording and most cyber insurance questionnaires now want to know:

  • Do you enforce multi-factor authentication, especially on email and remote access?
  • Are your systems and software patched promptly?
  • Do you take regular backups - and are they offline or otherwise protected from ransomware?
  • Do you restrict administrator access?
  • Do you provide staff security awareness training?

If that list looks familiar, it should - it’s the Essential Eight in a suit. Insurers have quietly adopted it as their shorthand for “is this business a reasonable risk?”

The trap: answering “yes” when the honest answer is “sort of”

Here’s where businesses get badly caught. Under time pressure, someone ticks “yes, we have MFA” or “yes, we back up” without checking whether it’s actually true across the whole business. The premium gets paid. Everyone moves on.

Why this matters at the worst possible moment

If you later make a claim, the insurer’s investigators will check whether the controls you declared were genuinely in place. If MFA wasn’t actually on, or backups were never working, they can reduce or refuse the payout - exactly when you need it most. An inaccurate form isn’t a technicality; it can void your cover.

The upside: it can lower your premium

It cuts both ways. Businesses that can genuinely demonstrate strong controls - with evidence, not just a tick - are increasingly rewarded with better terms and lower premiums. Being able to show an insurer that you take the Essential Eight seriously puts you in the good-risk pile.

How to get it right before renewal

  • Don’t guess. Before you fill in a single box, confirm what’s actually in place. “I think so” is not an answer that protects you.
  • Get the evidence. Insurers increasingly want proof, not promises. Where they need it, an independent audit gives you documentation you can hand over - and makes renewals painless.
  • Close the easy gaps first. MFA everywhere and tested backups are quick wins that move the needle most on both risk and premium.

Where we come in

When you’re on a First Assist managed plan, your security is aligned with the Essential Eight as standard - so when the insurance form lands on your desk, you can answer honestly and confidently, because the controls are genuinely in place. And if your insurer wants independent proof, we arrange a formal audit through our specialist partners. No guessing, no nasty surprises at claim time. That peace of mind is a big part of why our clients sleep better.

See where you stand in 2 minutes

Take our free Essential Eight self-assessment - eight questions, instant scorecard, no email required.

Take the free assessment →