Skip to content
Change industry

You said ·  Worried about the cyber insurance questionnaire

Industry ·  Not-for-profit

The cyber insurance questionnaire is exposing gaps in your security.

The renewal forms from insurers are no longer polite. They want proof of MFA scope, Essential Eight maturity, and verified backup restoration. For Australian not-for-profits, this hits hard. You manage donor data under the Privacy Act and volunteer access with limited budget. A defensible answer shows where your controls are thin. Overstating your posture risks a declined claim later.

See if we're a fit More on not-for-profit

What this usually looks like

What the questionnaire pressure looks like for not-for-profits.

Your team uses Salesforce NPSP, HubSpot, or DonorTec for donor records. Xero handles the finances. Access is often tied to staff role or volunteer status, with offboarding lagging behind departures. The ACNC Cyber Warden grant programs highlight these risks, but funding is tight. You cannot afford a full security team.

The insurer asks for evidence of patching SLAs, incident response plans, and data backup testing. You know you have backups, but when was the last time you restored a file? Volunteer accounts are hard to govern. The gap between your reality and the insurer's checklist is where claims get denied.

This is not about buying new software. It is about proving what you already do and fixing the gaps that matter. The insurer wants to see that you have looked at your own house. They want to know you can recover from a ransomware event without collapsing the organisation.

Where we'd start

What we do to get your answers right.

  1. Step 01

    Audit the current posture against the form

    We review your identity setup, endpoint management, and backup strategy. We check MFA coverage on all admin and donor-facing systems. We verify that volunteer access is revoked within 24 hours of departure. We map your current controls to the insurer's specific questions.

  2. Step 02

    Patch the critical gaps quickly

    We focus on the items that trigger immediate decline. This means enforcing MFA everywhere, ensuring backups are immutable and tested, and updating the incident response plan. We prioritise the Essential Eight maturity levels that matter most for insurance compliance.

  3. Step 03

    Draft defensible responses

    We help you answer the questionnaire with specifics. We provide the evidence for the 'yes' answers. We outline a clear remediation plan for the 'no' answers with realistic dates. This shows the insurer you are managing the risk, not hiding it.

CCP's security floor

Every CCP client is covered by the Client Security Baseline.

The CSBO is our contractual security floor. MFA on everything that matters. Application control. Vulnerability management. Backups restored, not just scheduled. Account offboarding the same day someone leaves. Password management staff will adopt. Annual awareness training.

If you won't do the basics, we'd rather decline than take responsibility for an incident you chose to ignore.

  • Multi-factor authentication

    Phish-resistant MFA on everything that matters.

  • Application control

    Allowlisted applications. Nothing else runs.

  • Vulnerability management

    Known vulnerabilities remediated inside thirty days.

  • Tested backups

    Backups that have actually been restored, not just scheduled.

  • Same-day offboarding

    Account access cut the day someone leaves the business.

  • Password management

    A password manager your staff will actually use.

  • Awareness training

    Annual cybersecurity training. No one opts out.

  • The full baseline

    Eleven controls in total. Seven shown here. See what's included in Managed IT Complete.

Track record

Twenty years in. A hundred-plus clients. The numbers are load-bearing.

Years in business
0+
Loved clients
0+
Aussie techs
0%

4.8 average · 46 reviews on Google

“The new investors are making us offshore IT. It sucks. You guys were perfect. I don't want to change.”
Paraphrased. A client forced to leave after an acquisition.

Our clients measure their tenure with us in years, not renewals. When they do have to leave (almost always because they've been acquired), they're sad about it. That's the metric that matters.

“Night and day working with CCP. They came in from day one, spent the time to ensure everything was set up and secure properly, and now everything just works. Due to the success we've had with them, we further engaged them to manage our phone systems and website. If you work with CCP you will never have to worry about your IT systems again.”
Trent Martin Google review
“We have been using CCP since the early 2000s and have always had great service on our 20-plus PCs and server. We recently moved to a managed service and cannot rate the experience highly enough. Well done Lee and team.”
Kelvin Mansfield Flexi Google review
“We have been continually impressed with CCP over the several years we have used them. They are extremely efficient, excellent customer service and well priced. I would recommend Lee and his team.”
ProcessWorx HR consulting, Perth Google review
See if we're a fit

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit