Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Cyber insurance underwriting has tightened sharply in Canada. Premiums climbed, sub-limits shrank, and underwriters treat security controls as preconditions. Canadian SMBs that bought coverage on a one-page application in 2022 are now answering 60-question control questionnaires. This guide is the cyber insurance coverage checklist Fusion Computing uses with Canadian businesses 10 to 150 users at renewal: what underwriters expect, where claims fail, and how to evidence each control before the broker calls.
QUICK ANSWER
Cyber insurance qualification in Canada now requires demonstrated alignment with CIS Controls v8.1. Five anchors carry the questionnaire: enforced MFA on email and remote access, EDR on every endpoint, immutable backups with tested restore, a documented incident response plan, and quarterly security awareness training. Canadian carriers including Beazley, Chubb, Coalition, Intact, and Northbridge treat these as binary pass or fail items.
KEY TAKEAWAYS
- Canadian carriers now treat MFA, EDR, and immutable backups as binary pass/fail items on a cyber insurance coverage checklist.
- The IBM 2025 Cost of a Data Breach report puts the Canadian average at CA$6.98M, which sets the size limits SMBs should consider.
- Most denied claims trace back to control attestation gaps, not policy wording, so what you signed at renewal matters more than the marketing.
- First-party coverage pays your recovery, third-party pays the people you harmed, and most SMBs underbuy the second.
- Pre-renewal work should start 90 days before expiry so evidence packs, MFA gaps, and PAM rollout finish before the underwriter sees them.
What is cyber insurance and what does it actually cover?
According to the Coalition 2024 Cyber Claims Report, the average ransomware demand reached approximately $1.4M USD in 2023 with claim frequency up 15% year over year. The CCCS National Cyber Threat Assessment 2025-2026 reports Canadian ransom payments averaging CA$1.13M in 2023, a 150% jump over two years. These figures explain why Canadian underwriters now require evidenced controls before binding.
Most Canadian cyber insurance underwriters in 2026 want documented security operations evidence (monthly reporting, response action logs, forensic artifacts), not policy attestation. For the contractual model that produces this evidence, see our companion guide on what an MSSP is and the 6-criterion evaluation rubric for Canadian SMBs.
Cyber insurance is a specialty liability product covering financial losses from cybersecurity incidents. A Canadian business policy pays for forensic investigation, ransom response, breach notification, regulatory defence, business interruption, and third-party claims tied to breached data. Coverage is conditional on the controls disclosed at application.
Canadian SMB policies in 2026 are no longer commodity products. Carriers stratify quotes by control posture, sector, and revenue band. A 40-user Toronto firm with documented MFA and EDR attracts very different terms than a same-size manufacturer on a flat network. Working with a CISSP-led MSP before the application closes is the cheapest place to fix gaps.
The 8 controls Canadian cyber insurance underwriters now require
The 2026 Canadian underwriting standard has consolidated around eight controls. Beazley, Chubb, Coalition, Intact, and Northbridge all ask for the same core set. Failing any one usually means higher premium, a ransomware sub-limit reduction, or declination.
| Control | What insurers ask | Pass threshold |
|---|---|---|
| MFA | Enforced on email, VPN, RDP, admin consoles? | 100% of remote and privileged accounts via Microsoft Entra ID. |
| EDR | Modern EDR with 24/7 monitoring on all endpoints? | SentinelOne, Huntress, or Microsoft Defender for Endpoint everywhere; no signature-only AV. |
| Email security with DMARC | DMARC at p=reject; attachment sandboxing on? | SPF, DKIM, DMARC p=reject on every domain; anti-phishing enabled. |
| Immutable backup with tested restore | Immutable backups; restored quarterly? | 3-2-1-1-0 architecture; dated restore log within 90 days. |
| IR plan with annual tabletop | Written IR plan and yearly exercise? | Runbook, named roles, after-action from a tabletop in the last 12 months. |
| Awareness training with phishing sims | Users trained and phish-tested on schedule? | Quarterly phishing sims; annual training; click-rate trend. |
| PAM | Admin accounts separated and vaulted? | Separate admin identities; Keeper vault; just-in-time elevation. |
| Network segmentation | User, server, OT segments isolated? | Fortinet firewall with VLANs separating user, server, OT, guest, management. |
Across Fusion Computing’s 2026 renewal packages, MFA gaps and untested backups drive most premium increases. The fix is operational, not technological, and finishes inside one quarter when planned alongside the broker timeline.
Cyber insurance qualification checklist: 12 controls and evidence required
According to CIS Controls v8.1 (Center for Internet Security, 2024), the Implementation Group 1 baseline maps directly to what Canadian underwriters now ask. The table below pairs each control with the broker question and the artifact your evidence pack should hold. Fusion Computing uses this same matrix during pre-renewal assessments for Canadian SMBs 10 to 150 users.
| Control (CIS v8.1) | What insurers ask | Evidence required |
|---|---|---|
| MFA on email (CIS 6.5) | Is MFA enforced on all email accounts including shared mailboxes? | Microsoft Entra ID conditional access policy export; coverage report showing 100%. |
| MFA on remote access (CIS 6.5) | Is MFA enforced on VPN, RDP gateway, and any externally exposed admin console? | Fortinet or SSL VPN config screenshot; conditional access policy; external scan with no exposed admin portal. |
| EDR on all endpoints (CIS 10.7) | Is modern EDR with 24/7 monitoring deployed on every endpoint and server? | SentinelOne, Huntress, or Microsoft Defender for Endpoint coverage dashboard; signed off by an MDR provider. |
| Immutable backups (CIS 11.2) | Are backups immutable, offsite, and protected from the production domain? | 3-2-1-1-0 architecture diagram; vendor immutability attestation; offsite copy confirmation. |
| Backup restore testing (CIS 11.5) | When was the last documented restore test, and did it succeed? | Dated restore log inside the last 90 days; named tester; recovery time recorded. |
| Incident response plan (CIS 17.1) | Is there a written IR plan with named roles and notification timelines? | IR plan PDF with version date; named officer signature; insurer contact line included. |
| Annual tabletop exercise (CIS 17.7) | Has a tabletop exercise run in the last 12 months with an after-action report? | Tabletop after-action document; participant list; lessons learned with target close dates. |
| Security awareness training (CIS 14.1) | Are staff trained at hire and on an ongoing cadence, with phishing simulation? | Quarterly phishing simulation reports; annual completion export; click-rate trend. |
| Patch management SLA (CIS 7.3) | What is your SLA for critical and high-severity patches? | Documented SLA (commonly 14 days critical, 30 days high); NinjaOne or Intune compliance report. |
| Network segmentation (CIS 12.2) | Are user, server, and OT or guest segments separated by firewall policy? | Fortinet firewall config showing VLAN separation; topology diagram with policy zones. |
| Privileged access management (CIS 6.8) | Are admin accounts separate from daily user accounts and vaulted? | Keeper or similar vault report; separate admin identity naming convention; just-in-time elevation log. |
| Email security and DMARC (CIS 9.5) | Is DMARC at p=reject with SPF and DKIM on every sending domain? | DMARC aggregate report; DNS records for SPF, DKIM, DMARC; attachment sandboxing config. |
Source: IBM Cost of a Data Breach Report 2025 places the Canadian average breach cost at CA$6.98M, with credential-based attacks and ransomware leading cost-per-record. (IBM Security, 2025; Insurance Bureau of Canada cyber statistics, 2025.)
First-party vs third-party coverage
Cyber policies bundle two distinct products. First-party covers the insured business’s own losses. Third-party covers claims from people the breach harmed. Canadian SMBs frequently buy enough first-party coverage but underbuy third-party, then discover the gap during a privacy class action.
| First-party (your costs) | Third-party (others’ claims) |
|---|---|
| Forensic investigation, incident response | Privacy regulator investigations, PIPEDA defence |
| Ransomware payment, recovery costs | Class action defence after personal-data breach |
| Business interruption, lost revenue | Vendor liability for downstream impact |
| Breach notification, credit monitoring | Media liability, reputational claims |
| Data restoration, system rebuild | Regulatory fines where insurable |
Third-party limits should be sized against worst-case notification population, not IT spend. The OPC, provincial privacy regulators, and the courts treat record counts as the unit of harm, and a 30,000-record incident escalates fast. For the regulatory mechanics, see PIPEDA breach reporting and notification obligations.
Why do cyber insurance claims get denied?
According to the Coalition 2024 Cyber Claims Report, ransomware was 19% of reported cyber claims in 2023, 40% of policyholders facing extortion paid, and the average ransomware loss exceeded $263,000 USD, up 28% year over year. Coalition negotiated demands down an average of 64%. A control gap on the application turns a paid claim into a denial.
Denials cluster around a small number of patterns. The policy almost always pays when the application was honest and the controls were running as attested. The painful denials are not edge-case wording; they are misstated controls and lapsed evidence.
The five most common denial reasons Fusion Computing has seen: MFA not enforced on the breached account, EDR not deployed on the affected server, backups failing an untested restore, the IR plan attested at application not existing in writing, and a privileged credential reused on a personal service. Each is a yes that should have been a no.
Social engineering and funds-transfer fraud sub-limits are a separate failure mode. These claims pay, but at a fraction of policy limit because the sub-limit is buried in the schedule. Reading the sub-limit page is the highest-yield 30 minutes at renewal.
A Hamilton client renewed in early 2026 thinking their ransomware sub-limit was their full policy limit. It was not. The schedule capped ransomware at 25% of the aggregate. We restructured with a different carrier the next quarter, kept premium nearly flat, and doubled the practical recovery ceiling. The certificate is marketing; the schedule is the policy.
Qualification reality for Canadian SMBs in 2026 is binary on five controls: enforced MFA, EDR everywhere, immutable backups with recent restore log, written IR plan with tabletop, and quarterly awareness training. Roughly half of new prospects discover a gap on one of those five during the application. Closing the gap with documented evidence shifts the quote category.
How does the cyber insurance application process work?
The application is a structured questionnaire, often 40 to 80 questions across identity, endpoint, network, data, vendor, and governance. Underwriters score the answers, run an external scan against the public-facing footprint, and price against carrier-specific minimums. The cycle takes two to six weeks for a clean SMB account.
The work falls into three buckets. Evidence: MFA screenshots, EDR coverage, restore logs, training exports, IR plan. Attestation: a named officer signs each answer as true. External posture: the carrier scans public IPs and DNS, and what they see must match what was attested.
Need this prepared for an upcoming renewal? Get in touch and walk into the broker meeting with the evidence pack already done.
What is changing in the Canadian cyber insurance market in 2026?
According to the CCCS National Cyber Threat Assessment 2025-2026, ransomware incidents in Canada have grown an average of 26% year over year since 2021, and global ransomware events rose 74% in 2023. The assessment names ransomware the top cybercrime threat facing Canadian critical infrastructure. Canadian underwriters now read these trend lines into renewal pricing.
Three shifts matter for Canadian SMBs in 2026. Carriers are adding Bill C-8 readiness questions for federally regulated sectors. OSFI E-21 operational resilience expectations are flowing into financial-services questionnaires. Provincial regimes including BC PIPA, Quebec Law 25, and PHIPA enforcement are pushing third-party limits up.
9 of 11 Canadian carriers Fusion Computing reviewed in early 2026 now require attestation that AI tooling is governed, no production data is pasted into consumer LLMs, and vendor reviews cover GenAI subprocessors.
| Carrier | 2026 emphasis |
|---|---|
| Beazley | EDR plus 24/7 SOC; tighter ransomware sub-limits without MDR. |
| Chubb | PAM, admin separation; immutability evidenced via vendor reports. |
| Coalition | External attack surface scoring in pricing; rewards documented patch SLAs. |
| Intact | Canadian SMB focus; PIPEDA alignment; IR plan attestation. |
| Northbridge | Sector underwriting for healthcare, professional services, manufacturing OT. |
Source: CIRA 2025 Canadian Cybersecurity Survey and Statistics Canada Survey of Cyber Security and Cybercrime show ransomware and business email compromise remain the top reported incident categories for Canadian organizations under 500 employees. (CIRA, 2025; Statistics Canada; Canadian Centre for Cyber Security baseline controls.)
How does an MSP help you qualify and stay compliant?
A CISSP-led MSP changes the renewal in three places. The MSP runs the controls so attestation matches reality, builds the evidence pack, and stays present after binding so midterm changes do not silently void coverage.
Fusion Computing standardizes Canadian SMBs on Microsoft Entra ID, SentinelOne or Microsoft Defender for Endpoint, Huntress, NinjaOne, Fortinet, and Keeper. Managed detection and response maps directly to insurer questions on 24/7 monitoring, dwell-time, and escalation.
Pre-renewal checklist: review 90 days before expiry
Renewals fail when the work starts three weeks before expiry. Starting 90 days out lets a Canadian SMB close MFA gaps, run a tabletop, refresh the IR plan, and assemble an evidence pack that arrives with the broker call.
- Day 90: pull the prior application; validate every yes against current reality.
- Day 80: run an MFA coverage report; close gaps on remote, email, VPN, privileged consoles.
- Day 70: verify EDR on every endpoint; remove signature-only AV remnants.
- Day 60: execute a restore test from immutable backup; save the dated log.
- Day 45: hold the IR tabletop; document the after-action; refresh the IR plan PDF.
- Day 30: run a phishing simulation; export training completion and DMARC reports.
- Day 15: assemble the evidence pack; brief the named officer; pre-read sub-limits with the broker.
- Day 0: sign the application with evidence in hand.
Book a consultation and get a renewal-ready cyber insurance coverage checklist tailored to your environment.
Frequently asked questions
Is cyber insurance mandatory for Canadian businesses?
Cyber insurance is not legally mandatory for most Canadian businesses, but enterprise customer contracts, federal procurement, and regulated-sector vendors increasingly require it. Many large Canadian buyers require suppliers to carry cyber liability with minimum limits and named ransomware coverage. The contractual requirement has overtaken the regulatory question, and most Canadian SMBs buy coverage to keep customers.
How much cyber insurance does a Canadian SMB need?
Most Canadian SMBs 10 to 150 users land between CA$1M and CA$5M in aggregate coverage, with sub-limits sized against record counts and downtime cost. Healthcare, financial services, and any business handling large volumes of personal information needs higher third-party limits because exposure scales with record count. The right number is the one supported by a written exposure analysis, not the cheapest quote.
Does cyber insurance cover ransomware payments?
Most Canadian cyber policies cover ransomware payments under an extortion clause, subject to a sub-limit and pre-approval by the carrier’s breach coach. Payments to OFAC-sanctioned groups are excluded, and several carriers require evidence of immutable backups before paying. Ransomware coverage is conditional, not automatic, and the sub-limit is often well below the headline policy limit.
What is the difference between cyber liability and tech E&O?
Cyber liability covers losses from cybersecurity incidents that affect the insured business or its customers. Tech errors and omissions covers professional liability for technology services delivered to clients, like a coding error or missed SLA. Most Canadian technology firms need both. Standalone cyber and combined cyber-and-E&O policies are both available; the right structure depends on revenue mix and contract requirements.
Will cyber insurance pay if MFA was not enabled?
If the application attested MFA was enforced and the breach traces to an account without MFA, most Canadian carriers will deny on misrepresentation. If partial MFA was disclosed and the breach hit an attested gap, payment is more likely but premium and sub-limits will reflect the disclosed posture. Attest accurately, then close the gaps before the next renewal so coverage and posture stay aligned.
How long does the cyber insurance application process take?
A clean Canadian SMB application takes two to four weeks from questionnaire to bound policy if the evidence pack is ready. Accounts with control gaps or recent incidents take longer because underwriters request remediation evidence and may run additional scans. Starting 90 days before expiry leaves room to fix any control issue surfaced by the questionnaire.
Are regulatory fines covered by Canadian cyber insurance?
Cyber policies cover regulatory investigation defence under PIPEDA, BC PIPA, Quebec Law 25, or PHIPA, plus fines where insurable by law. Some statutory penalties are not insurable in certain provinces, and policy wording varies. Federally regulated entities should confirm how Bill C-8 and OSFI E-21 questions interact with the regulatory defence section. The schedule, not the marketing summary, is the authoritative answer.
What is a cyber insurance evidence pack and why does it matter?
An evidence pack is the bundle of screenshots, exports, and PDFs that proves each yes answer. It typically includes MFA coverage reports, EDR dashboard screenshots, dated restore logs, the IR plan PDF, the latest tabletop after-action, training exports, DMARC reports, and a segmentation diagram. A well-built pack turns renewal into a quoting conversation, and it defends the policy if a claim is contested.
Can a Canadian SMB get cyber insurance after a breach?
Yes, but the application is harder and several carriers will decline new business for 12 to 24 months after a material incident. The pathway is documented remediation, a forensic report, evidence the root cause is closed, and a higher retention. Working with a CISSP-led MSP to build the post-incident control story shortens time to bindable coverage and keeps premium from climbing twice in two years.
