How Immutable Evidence Changes Cyber Insurance Underwriting in Australia

The trust problem at the centre of cyber underwriting

Cyber insurance underwriting in Australia operates on a model that would be considered unusual in almost any other form of insurance. When a property insurer assesses a commercial building, an assessor visits the building. They inspect the fire suppression system. They verify the electrical wiring. They check the security system. They take photographs. The assessment is based on physical evidence, collected by someone qualified to evaluate it.

When a cyber insurer assesses an organisation's security posture, no one inspects anything. The insurer sends a questionnaire. The organisation answers it. The answers are taken at face value. The policy is priced accordingly.

This is not because cyber insurers are careless. It is because the practical alternative, sending a security assessor to every insured organisation for every renewal, is economically impossible. A property can be inspected in a day. A technology environment with hundreds of users, multiple cloud platforms, dozens of applications, and evolving security configurations would require days or weeks of assessment by a qualified professional. The cost would exceed the premium.

So the industry settled on questionnaires. And questionnaires have a fundamental limitation: they measure what the organisation believes is true, not what is actually true.

The consequences of this gap are becoming increasingly visible. Claims are disputed when the post-incident investigation reveals that controls described as "in place" on the questionnaire were misconfigured, incomplete, or absent. Premiums are rising because insurers cannot accurately differentiate between organisations with strong controls and organisations that merely claim strong controls. Coverage is narrowing because insurers are excluding specific attack vectors they cannot adequately assess through questionnaires.

The trust model is not collapsing. But it is straining. And the industry needs a better mechanism.

What goes wrong between the questionnaire and the claim

The gap between questionnaire answers and reality takes several forms, and none of them require the insured to be deliberately dishonest.

Configuration drift. At the time of the questionnaire, MFA may have been enabled for all users. Three months later, a new department is onboarded without MFA configured. A legacy application is granted an authentication exception. A Conditional Access policy is modified to exclude a trusted location. The controls drift from the assessed state without anyone noticing because no one is continuously monitoring against the assessed baseline.

Scope misunderstanding. The questionnaire asks "Do you have endpoint protection on all devices?" The IT manager answers yes, because every device they know about has endpoint protection. But the question and the answer have different scopes. The IT manager is thinking about managed devices. The insurer is asking about all devices, including the personal devices employees use to access corporate data, the contractor laptops that connect to the network, and the legacy systems that were supposed to be decommissioned.

Competence gaps. Many organisations, particularly SMBs, healthcare practices, legal firms, and accounting practices, do not have dedicated cybersecurity staff. The person answering the questionnaire is often the practice manager, the IT generalist, or the business owner. They answer to the best of their understanding, which may not match the technical reality. "We have a firewall" might mean "our internet router has a basic firewall function." "We have MFA" might mean "we set up MFA for the admin account."

Temporal disconnect. The questionnaire captures a point in time. The policy covers a year. The 364 days between the questionnaire and renewal are unmonitored. A control that was functioning at assessment time could fail the next day, and no one would know until an incident forces the discovery.

Evidence asymmetry. When a claim occurs, the investigator has the tools, access, and expertise to determine what was actually in place at the time of the incident. The pre-incident assessment was a questionnaire. The post-incident assessment is forensic. This asymmetry means that the most rigorous examination of the organisation's security posture happens only after the damage is done, when the information is most useful to the insurer and least useful to the insured.

The cost of the trust gap

The trust gap between the questionnaire and reality costs all participants in the insurance relationship.

For insurers, the cost is inaccurate risk pricing. When the insurer cannot distinguish between an organisation with genuinely strong controls and an organisation that merely claims strong controls, they price for the average, which means well-secured organisations pay more than their risk warrants, and poorly-secured organisations pay less. This is the classic adverse selection problem, and it is endemic in cyber insurance.

The cost also appears in claim disputes. When the post-incident investigation reveals that questionnaire answers were inaccurate, the insurer faces a choice: pay the claim despite the material misrepresentation (setting a precedent and absorbing the loss), or dispute the claim (damaging the relationship, inviting litigation, and creating reputational risk). Neither outcome is desirable.

For brokers, the cost is erosion of the advisory relationship. When a broker places a policy based on questionnaire answers that later prove inaccurate, the broker's credibility suffers even though the broker had no practical way to verify the answers. The broker is caught between the insured's self-assessment and the insurer's post-incident forensics.

For organisations, the cost is threefold. First, the risk of a disputed claim at the worst possible moment when the organisation is dealing with an active incident and needs coverage most. Second, the ongoing cost of manual compliance evidence compilation the days spent before each renewal assembling screenshots, exporting reports, and drafting questionnaire responses. Third, the opportunity cost of not being able to demonstrate a superior security posture, organisations with genuinely strong controls cannot differentiate themselves from organisations with weak controls, because both complete the same questionnaire.

What immutable evidence infrastructure offers

Immutable evidence infrastructure addresses the trust gap by replacing self-assessment with verifiable proof. Instead of asking an organisation to describe its security posture in a questionnaire, evidence infrastructure collects proof of the security posture directly from the organisation's systems automatically, continuously, and in a form that cannot be altered after collection.

The key properties of immutable evidence infrastructure, from an underwriting perspective, are:

Automated collection from source systems. Evidence is collected directly from the organisation's identity systems, cloud platforms, endpoint management, backup infrastructure, and security tools. The evidence reflects what the systems actually show not what someone believes or remembers about the configuration. The human is removed from the evidence collection process, which eliminates the competence and scope gaps inherent in questionnaire-based assessment.

Tamper-proof storage. Once collected, evidence is written to storage that physically cannot be modified or deleted. This is not a software setting; it is an infrastructure-level guarantee. Evidence committed at 14:32 on Tuesday exists in its original form permanently. No one, not the organisation, not the platform provider, not an administrator, can alter it after the fact.

Cryptographic chaining. Each piece of evidence is hashed and linked to the previous piece in a per-organisation chain. This creates a continuous, verifiable trail. If any piece of evidence were altered, all subsequent hashes would become invalid. Tampering is mathematically detectable not by reviewing logs or trusting assertions, but by running a hash verification.

Continuous collection, not point-in-time snapshots. Evidence is collected on a recurring schedule not once a year before renewal. This means the evidence trail covers the full policy period, not just the moment of assessment. If a control was functioning in January but failed in March, the evidence shows both states. There are no unmonitored gaps.

Independent verification. Reports generated from the evidence carry a cryptographic proof trail. The report's hash is recorded in the evidence ledger. An insurer receiving a report can verify its authenticity independently by checking the report hash against the evidence ledger, or by scanning a QR code on the report. The insurer does not need to trust the organisation. They do not need to trust the platform provider. They verify the mathematics.

Honest assessment. A properly designed evidence system does not produce a passing result when evidence is missing or insufficient. If the evidence required to assess a control is absent, stale, incomplete, or from the wrong source, the assessment produces "insufficient evidence" never "pass." This means the insurer receiving an evidence-based assessment knows that every "pass" is backed by real, verified evidence, and every gap is explicitly surfaced.

What this changes for underwriting

If immutable evidence infrastructure were widely adopted, four aspects of cyber insurance underwriting would change significantly.

Change 1: Risk differentiation becomes possible.

Today, an insurer assessing two organisations of similar size and industry cannot easily distinguish between one with excellent security controls and one with mediocre controls because both complete the same questionnaire and both claim "yes" to the same questions. The insurer prices both at roughly the same level, adjusting primarily for industry and revenue.

With evidence-based assessment, the insurer can see the actual control state for each organisation. One has MFA on 98% of accounts, patches within 14 days, immutable backups tested monthly, and application control across all workstations. The other has MFA on 60% of accounts, patches running 45 days behind, backups not tested in six months, and no application control. The evidence shows the difference clearly.

This enables risk-based pricing that rewards organisations with genuinely strong controls. It also enables risk-based underwriting decisions that go beyond industry averages and revenue-based heuristics. The insurer can price the first organisation lower and the second higher, or decline the second until controls improve, with confidence that the assessment reflects reality.

Change 2: Continuous monitoring replaces annual snapshots.

The current model assesses security posture once per policy period typically at renewal. Evidence infrastructure enables continuous assessment. The insurer could, with appropriate agreement, receive periodic evidence updates showing the organisation's control state throughout the policy period.

This changes the insurance relationship from "assess once, hope for the best" to "monitor continuously, intervene early." If an organisation's patch compliance degrades mid-term, the evidence shows it, and the insurer or broker can notify the organisation before the degradation becomes an exploitable vulnerability. Early intervention prevents claims. Prevented claims are better for everyone.

Continuous monitoring also enables mid-term policy adjustments. If an organisation improves its controls significantly during the policy period, the evidence supports a mid-term premium adjustment or coverage expansion. If controls degrade, the insurer can adjust terms accordingly. The policy becomes responsive to the actual risk rather than fixed to a point-in-time assessment.

Change 3: Claim disputes are reduced.

When both the pre-incident assessment and the post-incident investigation are evidence-based, the gap between them shrinks dramatically. The insurer can compare the evidence-based assessment at binding with the evidence trail at the time of the incident. If the controls were in place and functioning and the evidence proves it the claim is straightforward. If the controls had degraded and the evidence shows when and how the discussion is fact-based rather than adversarial.

This does not eliminate all claim disputes. But it replaces the current pattern where the insured's questionnaire and the investigator's findings tell different stories with a pattern where both sides are working from the same evidence base. The evidence is permanent, timestamped, and independently verifiable. There is no ambiguity about what was in place and when.

Change 4: The broker's role becomes more valuable.

In the current model, the broker's role in cybersecurity assessment is limited. The broker helps the client complete the questionnaire and may offer general guidance, but the broker cannot independently verify the client's security posture.

With evidence-based assessment, the broker has a new tool. A broker who can present an evidence-backed assessment to the insurer showing verified controls, continuous evidence, and independent verification is providing a fundamentally different submission than a broker presenting a completed questionnaire. The broker who can facilitate evidence-based submissions will differentiate their practice from competitors who can only offer questionnaire-based placements.

For brokers serving portfolio clients particularly MSPs or IT consultants who manage security for multiple businesses, evidence infrastructure enables portfolio-level assessment. The broker can present the insurer with verified evidence across dozens or hundreds of clients, demonstrating consistent control coverage at scale.

What evidence-based insurance assessment looks like in practice

To make this concrete, consider how an evidence-based cyber insurance assessment would work compared to the current model.

Current model — the questionnaire cycle:

Step 1: Renewal approaches. Insurer or broker sends questionnaire (60–100 questions across security domains). Step 2: Someone in the organisation spends 2–5 days compiling answers, exporting screenshots, gathering policy documents. Step 3: Completed questionnaire is submitted. Step 4: Insurer reviews answers at face value, adjusts pricing based on answers and claims history. Step 5: Policy is issued. Step 6: No further assessment until next renewal (12 months later). Step 7: If a claim occurs, forensic investigation reveals the actual state — often significantly different from the questionnaire.

Evidence-based model:

Step 1: Organisation connects its systems to an evidence platform. Evidence collection begins automatically. Step 2: At renewal, the evidence platform generates a verified assessment report covering all relevant frameworks (Essential Eight, ISO 27001, etc.). The report shows: current control state, historical evidence trail, confidence levels, gaps, and verification mechanism. Step 3: The report is submitted to the insurer, who can independently verify its authenticity by checking the report hash or scanning the QR code. Step 4: The insurer reviews verified evidence, not self-reported answers. Risk pricing reflects the actual control state. Step 5: Policy is issued. Step 6: Evidence continues to be collected throughout the policy period. The insurer (with agreement) receives periodic updates showing control consistency. Step 7: If a claim occurs, the evidence trail from the time of the incident is already available, collected at the time, not reconstructed after the fact.

The time investment for the organisation drops from days of manual compilation to minutes of report generation. The quality of information the insurer receives increases from unverified self-assessment to verified evidence. And the post-incident investigation has a contemporaneous evidence trail rather than a retrospective reconstruction.

The assertion and non-assertion model

One feature of evidence-based reporting that is particularly relevant for insurance is the assertion and non-assertion model.

Every evidence-based report should contain two statements:

The assertion statement describes exactly what was assessed, which frameworks were applied, which systems were in scope, what evidence was collected, and what the assessment concluded. This tells the insurer precisely what the report covers.

The non-assertion statement describes what was NOT assessed. This might include: controls that require governance documentation not available through automated collection, systems that were not connected to the evidence platform, frameworks that were not included in the assessment scope, or areas where evidence was insufficient to produce a conclusion.

This model is critically important for insurance because it eliminates the ambiguity that plagues questionnaire-based assessment. A questionnaire that receives "yes" to "Do you have backups?" could mean anything from "we have a USB drive in a drawer" to "we have immutable, geo-redundant, tested backups with 90-day retention." The assertion/non-assertion model replaces this ambiguity with specificity: "We assessed backup controls and found: automated daily backups running on all servers (evidence collected 14:32 AEST 15 March 2026), retention of 60 days (configuration evidence), offsite replication configured (evidence). We did not assess: backup restore testing (no automated evidence available, this requires governance documentation)."

The insurer reading this report knows exactly what was proven and exactly what was not. They can make an informed underwriting decision based on verified evidence rather than an optimistic interpretation of a vague questionnaire answer.

Objections from the insurance industry — and responses

When evidence-based underwriting is discussed with insurance professionals, several objections arise. Each deserves a direct response.

"We don't have the capability to evaluate this kind of evidence."

This is true for many insurers today, and it is a transitional challenge, not a permanent barrier. Evidence-based reports are designed with two readability modes: an executive summary in plain language for underwriters who are not security specialists, and a technical appendix with full evidence proof for those who want to verify. The executive summary provides the same kind of information the questionnaire provides, just verified. The underwriter does not need to understand hash chains to read a report that says "MFA: enabled on 97% of accounts, method: authenticator app, evidence confidence: HIGH."

Over time, as evidence-based assessment becomes more common, underwriting teams will develop the capability to evaluate evidence-based submissions. The first movers will have a competitive advantage in risk selection.

"Our existing questionnaires work well enough."

They work until they don't. The question is not whether the current model produces acceptable results; on average, it does. The question is whether the current model can distinguish between the well-secured organisation and the poorly-secured organisation that gives the same questionnaire answers. If it cannot and the claim frequency data suggests it often cannot then "well enough" is costing the insurer money through mispriced risk and avoidable claims.

"The cost of implementing this across our portfolio would be prohibitive."

The cost falls primarily on the insured, not the insurer. The insured connects their systems to an evidence platform and receives verified reports. The insurer receives reports that are easier to evaluate than questionnaire responses because they are specific, structured, and verifiable. The insurer's incremental cost is learning to read a different format of submission, not deploying technology.

For insurers that want to actively encourage evidence-based submissions, the mechanism is straightforward: offer a premium benefit to organisations that submit verified evidence. The premium benefit incentivises adoption. Adoption improves risk selection. Improved risk selection improves loss ratios. The cycle is self-reinforcing.

"What if the evidence shows worse results than the questionnaire would have?"

This is the right outcome, not a problem. If evidence reveals that an organisation's controls are weaker than a questionnaire would have indicated, the insurer has better information for pricing and terms. The organisation has a clear picture of where to improve. And both parties avoided the claim dispute that would have occurred when the post-incident investigation revealed the gap.

Transparency serves everyone. Organisations with genuinely strong controls benefit from accurate assessment. Organisations with weak controls benefit from knowing their gaps before an incident exploits them. Insurers benefit from pricing that reflects actual risk.

The opportunity for Australian insurers

The Australian cyber insurance market is well-positioned for evidence-based underwriting adoption, for several reasons.

Market size. The Australian market is large enough to be economically significant but small enough for innovation to spread quickly. A single major insurer adopting evidence-based assessment would create competitive pressure across the market within 12–18 months.

Regulatory environment. APRA CPS 234 already requires regulated entities (including insurers themselves) to maintain demonstrable information security capabilities. Evidence-based assessment aligns with the direction APRA is moving. An insurer that adopts evidence-based underwriting for its cyber portfolio is also building capability that supports its own CPS 234 compliance.

Essential Eight adoption. The Essential Eight has become the de facto assessment framework for Australian cyber insurance. This standardisation makes evidence-based assessment practical, the evidence platform maps to the same framework the insurer already assesses against. There is no framework translation problem.

MSP channel. A significant portion of Australian SMBs manage their IT through MSPs. MSPs that adopt evidence platforms can deliver verified evidence across their entire client base, giving insurers portfolio-level evidence at scale. This channel effect could accelerate adoption far faster than direct insured-by-insured adoption.

Competitive differentiation. The first insurer (or group of insurers) that can offer evidence-based underwriting with premium benefits for verified evidence, continuous monitoring options, and reduced claim dispute rates will have a significant competitive advantage in broker channels and direct-to-business sales.

Where to start

For insurers, brokers, and organisations interested in evidence-based underwriting, the starting point is straightforward.

For insurers: Identify a cohort of willing insureds, perhaps 20–50 organisations across 2–3 industry verticals and pilot evidence-based assessment alongside the existing questionnaire process. Compare the evidence-based results with the questionnaire answers. Measure the gap. Use the findings to develop evidence-based underwriting criteria and pricing models. The pilot requires minimal investment and produces data that informs the broader strategy.

For brokers: Identify clients who would benefit from evidence-based submissions, particularly those with strong controls who are currently unable to differentiate themselves from weaker competitors. Facilitate evidence-based submissions to insurers and Attest whether the submissions result in better terms. Build the evidence-based submission capability as a differentiator for your brokerage.

For organisations: Start collecting evidence now, regardless of whether your insurer currently accepts evidence-based submissions. When evidence-based underwriting becomes available and the direction suggests it will, organisations with an existing evidence trail will be in a stronger position than those starting from scratch. The evidence you collect today for your own compliance purposes is the same evidence that will support your insurance submission tomorrow.