← All insurers
Cyber insurance evidence

Answering the Marsh cyber liability application form.

Marsh is a broker rather than an underwriter, so the cyber application form bundles the underlying insurer’s questions into one document. AttackEdge produces dated external-security evidence for the technical-scanning questions in that bundle.

Broker Marsh Pty LtdForm Cyber liability applicationHosted in Sydney
Questionnaire mapping

Question by question, where AttackEdge helps.

Pulled from the public Marsh cyber liability application forms and the SURA Cyber SME proposal that Marsh brokers also place. Marsh combines underwriter-specific and broker-side questions into one submission.

Question the broker asksWhere AttackEdge helpsWhere it doesn’t
Security policy that identifies and stipulates protection levels for all information assetsThe policy document is something you write. AttackEdge contributes the technical evidence stream the policy can reference.Out of scope
Penetration testing of systems and active monitoring of network traffic to identify new threatsMonthly external scans against your in-scope assets, with the PDF history showing trend. Not a pen-test substitute, but it is the recurring external testing underwriters look for alongside the pen-test report.Manual penetration testing of internal systems is out of scope.Partial
Back-up and recovery procedures on sensitive and financial data at least weeklyBackup posture is internal. We see backup endpoints only if they are accidentally exposed to the internet, which they should not be.Out of scope
Patching of software systems on a regular basisInternet-facing software versions are detected each cycle. A reduction in critical and high findings over consecutive months is patch-cadence evidence in itself.Workstation and internal-server patching is invisible from outside; that has to come from your IT or MSP.Partial
Password access required on all company systems and devicesInternal authentication policy is out of scope. We can flag exposed login pages, which is a different question.Out of scope
MFA enforced on remote network access, privileged accounts, backups, and webmailMFA configuration lives inside Microsoft 365, Google Workspace, Okta, or your VPN. AttackEdge is an external scanner; ask your identity provider for this evidence.Out of scope
Next-generation antivirus (NGAV) or EDR tool across all endpointsEndpoint protection is internal. The underwriter wants product-name evidence here, not a scan result.Out of scope
Critical patches applied within 24 / 48 / 72 hoursInternet-facing patch lag shows in the scan history: when AttackEdge first flagged a CVE, when the finding cleared. You can quote a real timeline rather than estimating.Internal-system patching timelines still need to come from your patch-management tool.Partial
Incident response plan or business continuity plan, tested annuallyThe plan is a document. The tabletop test is an exercise. Neither is a scan result.Out of scope
Privacy policy with data retention and destruction detailsOut of scope. AttackEdge does not draft or verify privacy policy text.Out of scope
Social engineering training including phishing simulationsPhishing simulation services are a separate tool category. We surface email-authentication posture, which makes phishing harder against your domain.Out of scope
PII / PHI / PCI volume held electronicallyA data-volume question. AttackEdge does not count records; your application or database does.Out of scope
External attack surface and exposed services (asked at quote stage by most Marsh-placed underwriters)Every cycle enumerates exposed ports, banners and service versions on your in-scope IPs. The PDF lists them with severity and remediation.Helps
Email authentication posture (SPF, DKIM, DMARC, MTA-STS)Checked every cycle and re-checkable any time. Underwriters often ask about email auth even when the form does not; business-email-compromise drives a large share of SMB cyber claims.Helps
TLS posture on customer-facing sites — certificates current, no weak ciphers, security headers in placeCertificate validity, cipher strength, HSTS and CSP presence reported each cycle on every in-scope host.Helps
What you hand the broker

Three artefacts that travel with the submission.

Dated PDF report

A timestamped PDF per scan cycle. Marsh brokers attach it to the submission email alongside the completed application form; the date answers the "is this current" question before it gets asked.

Public methodology link

A live page describing exactly what AttackEdge checks. Whichever underwriter Marsh places you with can read it without an NDA, which speeds up follow-up questions.

Asset inventory and discovery log

Your current in-scope assets and the subdomains and hosts passive discovery surfaced. This is the answer to the "what is in scope" question on most application forms.

Honest scope.

AttackEdge does not answer the parts of a Marsh application that live inside your environment: MFA configuration, backup posture, antivirus and EDR coverage, incident response plans, written privacy and security policies, wire-transfer authorisation procedures, and employee security awareness training. Those answers come from your IT team, your MSP, or a separate tool. The dated PDF only speaks to what is on the public internet.

About Marsh in Australia.

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) is the local arm of Marsh & McLennan. They place Australian SMB cyber across multiple underwriters and run the largest broker-distributed cyber-renewal volume in the country. Renewals are normally triggered 60 to 90 days before policy expiry; the broker collects the application form back from you in that window.

AttackEdge slots in early: subscribe before the form lands, run a cycle, and you have a dated PDF ready when the broker asks for evidence. The subscription means next year’s answer is the same answer, only newer.

Common questions

Marsh-specific FAQ.

  • Marsh is my broker, not my insurer. Whose questions am I actually answering?

    Marsh places Australian SMB cyber with several underwriters, most commonly Chubb (under the Cyber ERM wording) and the Steadfast-network insurers. The application form Marsh sends combines their underlying questions into one document. The technical-scanning answers AttackEdge supports translate directly into the underwriter's form behind it.

  • How does Marsh use the application form?

    Marsh runs the completed form through their indication matrix to get an initial price band, then submits to the chosen underwriter for a formal quote. Any "no" response on a security control question triggers a referral and either a higher rate or a decline. Having dated AttackEdge evidence for the external-scanning questions reduces the chance of a referral.

  • My Marsh form is the LPLC version for Victorian lawyers. Does this still apply?

    Yes. The LPLC-distributed form is shorter and is underwritten by Chubb (the Cyber ERM wording). Marsh's LPLC matrix bases the indicative price on yes-only responses to the security control questions in Section B. The AttackEdge PDF is evidence for the external part of those answers.

  • Does Marsh accept AttackEdge as a pre-approved tool?

    Marsh does not run a pre-approved tool list in Australia for SMB cyber. They look at evidence on its own merits when it arrives with the form. The dated PDF stands as evidence; we do not claim more than that.

  • I am applying with revenue over A$25m. Does that change the AttackEdge answer?

    No. Above A$25m, Marsh either uses an underwriter-specific long-form proposal (often Chubb Cyber ERM Standard) or refers to a specialist. The Standard Cyber ERM form is more detailed but the external-scanning questions are the same. AttackEdge's coverage of those questions does not change with revenue.

More insurers

Other insurer-specific guides.

Chubb

The Chubb Cyber ERM proposal form is the document most Australian brokers send first. Real verbatim questions mapped to where AttackEdge answers them.

Read the guide →
Emergence

Emergence is Australia’s largest specialist cyber underwriter. The Cyber Event Protection form scales with revenue. See which sections AttackEdge feeds evidence into.

Read the guide →
CGU

CGU’s SMB cyber product is distributed through brokers and the proposal is rarely published. The questions every SMB underwriter asks still apply, and AttackEdge answers the external ones.

Read the guide →
Renewal-ready evidence

Run the first scan before the form arrives.

Solo subscriptions start at A$39/month. The first PDF lands inside an hour of the first scan, dated and ready to attach.

Start a scan Run a free checkTalk to us