Essentials Evidence for Cyber Insurance Renewals
What Australian cyber insurers typically ask for on Essentials maturity — ML levels, dated evidence, and how to avoid last-minute spreadsheet scrambles.
Cyber insurance renewals for Australian SMEs and mid-market IT teams increasingly turn on a practical question: can you show current Essential Eight maturity, not just a policy document from last year?
Brokers and underwriters vary, but the pattern is consistent. They want a stated maturity level (often targeting ML2), evidence that is recent, and proof that privileged access and MFA are actually enforced — not merely "planned." Spreadsheets and screenshots still appear, but they are harder to defend when a claim or renewal questionnaire asks when the configuration was last verified.
This guide summarises what insurers commonly request, how Essentials evidence maps to those asks, and a reusable renewal prep workflow for Microsoft 365 and Google Workspace tenants.
What insurers usually ask for
Exact wording differs by carrier, but renewal packs and security questionnaires converge on:
- Overall maturity level (ML0–ML3) against ASD Essentials, with the weakest-link rule stated clearly
- Per-strategy outcomes — especially MFA, restrictive admin privileges, patching, and backups
- Evidence dated within a window — often the last 30–90 days, sometimes "current quarter"
- Confirmation that access for the assessment was read-only (or that no intrusive agents were required)
They are less interested in marketing language and more interested in whether your claimed level would still hold if checked tomorrow. Silent configuration drift is why a clean ML2 assessment in March can fail a June renewal questions checklist.
Why "we did Essentials last year" falls short
Annual consultant engagements produce useful baselines, then go stale. Common renewal blockers:
- A Conditional Access exclusion or disabled policy that quietly drops MFA coverage
- A new Global Administrator without phishing-resistant MFA
- Devices falling out of compliance between Intune or Chrome policy reviews
- Backup or Vault settings that changed during a cost-optimisation pass
Under the November 2023 maturity model, overall maturity is the lowest strategy level. One control regression drops the whole claim. Insurers who ask "confirm you maintain ML2" are asking whether your current weakest strategy still clears ML2 — not whether it did last financial year.
What "good enough" evidence looks like for renewals
Assessor and insurer expectations increasingly align with timestamped, verifiable configuration proof. A practical pack for a cloud productivity tenant includes:
| Element | Why it helps at renewal |
|---|---|
| Per-strategy ML0–ML3 scores | Answers the maturity question without ambiguity |
| Query timestamps | Shows the evidence is inside the insurer's dating window |
| Hash-anchored API snapshots | Lets an auditor or insurer re-check the same raw response later |
| Plain-language remediation | Shows you know what breaks the score and how to fix it |
Self-attested checklists ("MFA: Yes") are weak. Screenshots without timestamps are better but brittle. API-derived snapshots with queriedAt, endpoint, and SHA-256 response hashes are the durable middle: Fair-tier proof that still reads as serious to underwriters and assessors. See IRAP-style Essentials evidence for how Fair vs Good tiers work, and our Security & Privacy page for the evidence-chain commitment.
Aegis Eight does not sell insurance and does not guarantee a policy will be issued or renewed. It produces continuous Essentials evidence from read-only Microsoft Graph or Google Admin APIs so you are not assembling proof under deadline pressure.
A practical renewal prep workflow
- Baseline now — run a free Essentials scan on Microsoft 365 or Google Workspace and email the PDF to whoever owns the insurance relationship.
- Remediate the weakest links — fix MFA enforcement and privileged access first; they dominate questionnaire failure modes.
- Keep a dated trail — subscribe if you need daily re-scans and change-triggered alerts so a silent regression does not surprise you mid-renewal.
- Export for the broker — PDF for humans; CSV / evidence packs where the questionnaire asks for machine-checkable detail.
- Re-scan inside the insurer's window — do not hand over a report from six months ago if they ask for "current" posture.
For MSPs filling questionnaires across many clients, repeatability matters more than heroics. A multi-tenant fleet view with per-tenant maturity and 30-day change counts is how you answer "which clients are renewal-ready this month?" without opening twenty workbooks.
Microsoft 365 vs Google Workspace
Insurers rarely care which cloud you run — they care whether Essentials strategies are visible and enforced. Visibility differs:
- Microsoft 365 — Conditional Access, Intune, Entra roles, and Defender signals usually give strong MFA and privilege evidence.
- Google Workspace — Admin SDK and audit APIs cover MFA and admin privileges well; desktop Windows/macOS patch status may show as no visibility without MDM; native Docs macros are often not applicable. See Google permissions and common Google Workspace drifts.
Honest "no visibility" on a control is better than inventing a pass — especially when an underwriter later requests the same evidence again.
Related reading
- Five Common Essentials Drifts in Microsoft 365 Tenants
- IRAP-Style Evidence for Microsoft 365 Essentials
- Essentials Maturity Levels Explained
Next steps
- Start a free Essentials scan — ML0–ML3 report before your next renewal questionnaire
- Download a sample report — see the evidence format
- Compare monitoring plans — daily drift scans from A$59/month
Questions? Email [email protected].