Why We've Raised the Bar: Our Updated Terms & Conditions, the Essential Eight, and What Your Cyber Insurer Is About to Ask You

Published on Monday, 4 May 2026 at 2:03:32 PM

Imagine this. A mid-sized Western Australian business, let's call them a 60-person professional services firm based in Perth, opens on a Monday morning to find every file encrypted, every workstation locked, and a ransom note demanding payment in cryptocurrency. They've been hit. The good news? They have a cyber insurance policy. The bad news? When the insurer reviews the claim, they discover multi-factor authentication wasn't enabled on the company's email platform, and the backups hadn't been tested in over a year. The claim is denied. The business is on its own.

This isn't a hypothetical we've made up to scare you. It's the lived reality of cyber incident response in 2026, and it's part of the reason we've recently updated our Terms & Conditions for clients on our Security as a Service (SecaaS) offering, and the reason every WA business owner needs to understand three connected ideas: what we're now requiring as a baseline, what the Australian Signals Directorate's Essential Eight actually asks of you, and what your cyber insurance broker is about to put in front of you at renewal.

Let's break it down.

Why we've updated our Terms & Conditions

For a long time, managed IT providers and their clients had an unspoken arrangement: the MSP would do its best to keep things secure, the client would do its best to follow advice, and when something went wrong everyone would work it out together. That model worked when threats were slower, attackers were less organised, and the consequences of a breach were a few days of downtime.

It doesn't work anymore.

In the last 24 months we've watched the threat landscape shift in three significant ways. Attackers have industrialised, ransomware-as-a-service operators are running professional businesses, with helpdesks, affiliate programs, and KPIs. The tools they're using are getting smarter, AI-assisted phishing is now indistinguishable from legitimate correspondence, even to careful staff. And the regulatory and insurance environment has caught up.

In that environment, the old shared-responsibility model leaves everyone exposed. If a client declines to enable MFA on a critical account, or won't allow patches to be applied during business hours, or insists on running unsupported software, the consequences don't stay with the client, they ripple through to us as their MSP, to the insurer, to the supply chain, and ultimately to the customers and citizens whose data is at stake.

So we've updated our Terms & Conditions to set a clear, defensible security baseline for any client engaging our SecaaS offering. The principles behind the update are simple:

  • Clear minimum controls. There are now specific, non-negotiable security controls that must be in place for us to deliver services. These map directly to the Essential Eight and to the controls cyber insurers expect to see.
  • Clear shared responsibility. The T&Cs make it explicit which controls Integrated ICT manages, which the client manages, and what happens when a client elects not to implement a recommended control.
  • Clear consequences. Where a client chooses to operate below the baseline, the T&Cs document that decision and define the limits of our liability for incidents that result from it.

This isn't about us pulling away from the partnership. It's the opposite, it's about codifying a baseline that gives both parties a defensible position when something goes wrong, and ensuring that the protections we put in place actually have a chance to work. As an ISO/IEC 27001:2022 certified provider, this is also how we live up to our own commitment: we can't credibly hold ourselves to a recognised information security management standard while supporting environments that fall significantly below it.

To see our updated Terms and Conditions click here.

The Essential Eight: the floor, not the ceiling

When we talk about a "baseline," we mean the Australian Signals Directorate's Essential Eight. If you've heard of it but never had it explained, here's the short version: it's a set of eight mitigation strategies the ASD has identified as the most effective controls a business can put in place to reduce the likelihood and impact of a cyber incident.

The eight controls cluster into three goals.

Preventing malware delivery and execution is addressed by application control (only approved software can run), patching applications, configuring Microsoft Office macro settings, and user application hardening (turning off risky features in browsers and PDF readers).

Limiting the extent of incidents is addressed by restricting administrative privileges (only the people who genuinely need admin access have it), patching operating systems, and enforcing multi-factor authentication.

Recovering data and system availability is addressed by regular, tested backups.

The Essential Eight is graded across maturity levels:

Maturity Level 0 (you don't have it) through Maturity Level 3 (advanced, well-tuned implementation).

Most Australian SMBs we assess sit somewhere between ML0 and ML1 when we first engage. Our goal in any SecaaS engagement is to get clients sustainably to ML1 or ML2 depending on their risk profile and obligations.

The reason these matter in May 2026, and not just to federal agencies, is that the Essential Eight has quietly become the de facto standard for everyone. Local government bodies are being asked to attest to it. Larger clients are asking suppliers to demonstrate it before signing contracts. Auditors are referring to it. And cyber insurers are using it as the structural backbone of their underwriting questionnaires.

Treating the Essential Eight as a federal-government concern is, in 2026, a strategic miscalculation. It's the floor.

What your cyber insurer is about to ask you

If your cyber insurance is up for renewal in the next twelve months, brace yourself. The renewal process has changed.

Five years ago, cyber insurance was a relatively simple product. You answered a short questionnaire, the insurer priced the policy, and that was that. Today, the renewal questionnaire from any major broker looks more like a security audit than an application form. You will be asked, in detail, about:

  • Whether MFA is enforced on email, remote access, privileged accounts, and remote administration tools — all of them, not just some.
  • Whether you have endpoint detection and response (EDR) deployed across every endpoint, not just antivirus.
  • Whether your backups are immutable or air-gapped, how frequently they're tested, and how quickly you could restore.
  • Your patching SLA for critical vulnerabilities — and your evidence that you actually meet it.
  • Whether privileged access is managed through a PAM solution and whether standing admin rights have been removed.
  • Your email filtering, security awareness training cadence, and phishing simulation results.
  • Your incident response plan — and whether it's been tested in the last twelve months.
  • Network segmentation between corporate, guest, and operational networks.
  • Vendor and supply chain risk management.

Insurers are asking these questions because they have to. Cyber claims have been more frequent and more expensive than the original policies were priced for, and the underwriters who got that wrong are now trying very hard not to repeat it. The result, for businesses, is that the questions you can no longer credibly answer "yes" to will determine whether you get a quote at all, what excess you'll carry, and whether a future claim will be paid.

This is the link to the Essential Eight, and to our T&C update. The controls insurers are asking for are, to a striking degree, the same controls. MFA. Patching. Privileged access. Backups. Application hardening. The questionnaire reads like the Essential Eight with a few additions for endpoint detection, network segmentation, and incident response readiness.

Which is why our updated T&Cs and the Essential Eight aren't separate exercises. They are the same exercise, expressed three different ways: a security baseline, a regulatory framework, and an insurer's underwriting position. Get one right and you've largely done the other two.

What this means for you

If you're a client without SecaaS, or you're managing IT in-house, or you're with another provider, the questions to take to your next leadership meeting or Quarterly Business Review are these. Are we honestly meeting Essential Eight Maturity Level 1 across every part of the business? Could we answer "yes" to every question on a 2026 cyber insurance renewal, with evidence? And if not, what are we doing about it before our next renewal, before the next mandatory reporting threshold lands, or before the next attacker decides to find out?

We'd rather have these conversations now, in a strategy session, than after an incident, in a forensic review.

If you'd like a no-obligation review of where your business sits against the Essential Eight, what cyber insurers are likely to ask you at renewal, and how our updated SecaaS offering can close the gap, get in touch with the team at Integrated ICT. We have offices in Perth and Geraldton, and we're proudly ISO/IEC 27001:2022 certified — which means we're held to the same standard we're asking our clients to operate to.

Speak to the team: Perth: (08) 6374 8200 Geraldton: (08) 9920 8550 Email: hello@integratedict.com.au

Integrated ICT is a Western Australian managed IT services provider with offices in Perth and Geraldton. We hold ISO/IEC 27001:2022 certification, are a Microsoft Solutions Partner for Modern Work, and a WALGA Preferred Supplier.

Back to All News