Introduction Over the last decade, Multi-Factor Authentication (“MFA”) has increasingly been held up as one of the most effective controls against cyber-crime. During the ‘hard’ cyber insurance market in Australia in 2020 and 2021, insurers started to focus more closely on cyber security controls because of rising claims and insureds were required to confirm that MFA was implemented on key systems such as remote access and VPN’s. Insurers now expect MFA, as part of baseline eligibility requirements and this is reflected in modern cyber proposal and application forms. Insurers pushed hard for this MFA adoption and with good reason. MFA dramatically reduces losses from basic credential theft and has become a cornerstone requirement of cyber insurance underwriting. Today, however, the threat landscape is shifting. Attackers are no longer simply stealing passwords; they are actively targeting MFA itself. The rise of MFA Phishing techniques is forcing cyber insurers to rethink assumptions about risk, controls and loss prevention. The Rise of MFA Phishing Attackers are adapting quickly. Threat actors are now working around MFA, using techniques such as: • Man-in-the-middle phishing pages that capture credentials and MFA tokens in real time; • Session and authentication token theft, allowing attackers to bypass MFA entirely once a user is logged in. Crucially, many of these attacks succeed even when MFA is technically enabled. What This Means for Cyber Insurers For insurers, MFA Phishing may result in a steady increase in claims driven by Business E-Mail Compromise (“BEC”) and Cloud account takeovers. The implications for cyber insurers may be significant: Additional Underwriting CriteriaInsurers may be required to assess in greater detail how MFA is implemented and how resistant it is to phishing. They may be forced from asking “Do you have MFA?” to questions around Conditional Access, E-Mail protections and phishing-related MFA. In the SME market, which currently places a great emphasis on trying to create a frictionless sales process, such additional underwriting questions will create challenges for insureds and SME-specialist brokers. Vulnerability ScansMany insurers use external attack-surface scanning to automatically scan a business’s external facing assets. Such tools do have a limited use, but these vulnerability scans cannot directly detect MFA phishing tools or techniques. MFA Phishing does not exploit a software vulnerability within the insured’s environment; instead, it relies on external phishing infrastructure and social engineering to intercept user credentials and authentication tokens in real time. As a result, a clean vulnerability scan does not necessarily indicate a reduced risk of MFA-related compromise, BEC or Cloud account takeover. Artificial Intelligence (“AI”)Right now, MFA Phishing tends to be targeted because it’s more complex to set up (reverse proxies), riskier for attackers (short-lived infrastructure) and most profitable when aimed at high-value users (finance or execs), so attackers are picking their targets. However, AI will massively reduce the cost of operating MFA Phishing at scale. AI can already mimic internal tone, formatting and workflows, and personalise lures at scale. That means MFA Phishing does not need to be “handcrafted” per target. Phishing-as-a-Service platforms already exist, but AI will be able to add auto-generated look-alike domains, AI-written login pages that clone real portals and rapid redeployment to evade detection. This will turn MFA Phishing into a volume business, not a bespoke attack. MFA Phishing volume businesses will be able to deploy thousands of highly plausible messages across multiple organisations at once, but each message will still feel targeted to the recipient. Looking AheadMFA remains a critical control but it is no longer the Silver Bullet it once was. For cyber insurers, the rise of MFA Phishing marks a turning point: how do they move from broad, control-based underwriting to a more nuanced assessment of identity resilience. The evolution will also present challenges for brokers, many of whom are still adjusting to understanding basic MFA deployment. Insurers will need to take a proactive role in educating brokers and insureds on the very real risks of MFA Phishing and the value of layered identity defences. Ongoing and upskilling will be critical for all to keep pace.

Lessons from the November 2025Conveyancer Scamand Mobius v Inoteq

Precautionary Shutdown Cover offers a safety net for businesses that choose to shut down systems before a cyber incident causes damage. It’s like pulling the fire alarm before the flames spread—and still being covered.

This month, Qantas confirmed a cyber incident that compromised the personal data of up to six million customers. The breach didn’t stem from Qantas’ internal systems, but rather from a third-party customer service platform operated offshore. This incident is a stark reminder that privacy risks don’t stop at the firewall—they extend deep into the vendor ecosystem.

In today’s digital landscape, a cyber incident doesn't always end with system recovery — it can spiral into a reputational crisis.

I’ll let you into a well-known secret about cyber insurance claims. They usually happen because a security control in the business fails due to human error. Nothing fraudulent, malicious or sinister — just everyday people being fallible and cyber-criminals taking advantage of the situation.

Ransomware Payment Reporting Rules The Cyber Security Act 2024 (“The Act”) has established a ransomware and cyber extortion payment obligation on reporting entities (annual turnover exceeding $3 million). Under the legislation, starting 30th May 2025, Australian businesses are now legally required to report any ransomware payments. There is no grace period for compliance.

Rhodian launches fifth agency, bringing a highly tailored cyber product to market. Sydney, Australia (February 03, 2025) – Rhodian Group, an incubator and accelerator of Australian underwriting agencies backed by global distributor of specialty insurance products and services, Amwins, has announced its fifth agency to market. Sync Underwriting, a cyber specialist, brings one of Australia’s leading cyber insurance experts, Richard Smith to market as Chief Executive Officer. Sync Underwriting will enter the market with an exclusive cyber insurance product, tailored for the Australian small to mid-sized market. The Sync product has been built from the ground up, to address the changing needs Australian businesses face as the cyber landscape continues to develop in complexity and size. "I am delighted to launch Sync Underwriting to the market. Having solely worked in the Australian cyber market for the last 8 years, it has been exciting to build a cyber product that reflects the real needs of Australian businesses and the broker market. We have worked closely with our capacity providers, Tokio Marine Nichido1, to develop a unique wording that positions us with strong differentiators. This, alongside our commitment to broker service, product development and strong technical cyber knowledge, will see Sync Underwriting grow to become a leading cyber agency in the coming years." says Richard Smith, CEO. “Given the rise in demand for cyber insurance protection, it was essential that Rhodian built a cyber agency that responded to the brokers' need to present a comprehensive offering to their clients. We believe that Sync brings a strong combination of expert underwriting and qualified capacity to the market, at exactly the right time. We welcome Sync to the growing Rhodian network of agencies. It is exciting to be launching our fifth agency in just under two years." Comment from Simon Lightbody, CEO Rhodian Group. About Rhodian Rhodian is a network of underwriting agencies that creates independent opportunity and the collective capability to shape the future of the insurance industry. By selecting, incubating and supporting the next generation of agency leaders, Rhodian is combining new technologies, a shared success culture and the strongest talent to redefine Australia’s agency landscape. For more information, visit rhodian.com.au. For more information about Sync Underwriting visit syncunderwriting.com.au