Portable assets and Microsoft 365 controls fall short at state entities

Implications for insurance and risk transfer 

The combined findings describe a risk environment in which some core controls – including accurate asset registers, basic cyber hygiene, and incident reporting – remain inconsistent across government entities. Gaps in asset tracking can complicate claims handling, loss adjustment, and valuation, particularly where business‑critical equipment cannot be quickly located or accounted for. On the cyber side, partial implementation of the Essential Eight, variable Microsoft 365 security configurations, and low reporting rates may influence how underwriters assess frequency and severity of potential incidents, set sublimits and retentions, and prioritise risk‑engineering support. As entities respond to audit recommendations and ASD guidance, insurers and brokers can anticipate more detailed scrutiny of asset management processes, stocktake routines, legacy IT strategies, multi‑factor authentication standards, backup practices, logging capability, supply chain review processes, and incident response testing in submissions and renewal negotiations.