Cyber Insurance Questionnaire Cheat Sheet (Free Download for Canadian SMBs)

Instant download
No form to fill, no email required.

A line-by-line mapping of the 2026 insurer questions to CIS Controls v8.1 — with the evidence, the common “no” that triggers a surcharge, and the 30-day path to a clean “yes” on every line.

Built by Fusion Computing’s CISSP-led team. Mapped to CIS Controls v8.1, NIST CSF 2.0, and the Marsh / Aon / Gallagher / Coalition / At-Bay / CFC questionnaires we have walked through with Canadian SMBs in 2026.

Get the PDF Cheat Sheet
Cybersecurity Services →

Authored by Mike Pearlstein, CISSP — Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).

Reviewed and last updated 2026-05-19 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

CISSP-led security team
Toronto-based MSP since 2012
10–150 employee Canadian SMBs
Mapped to CIS Controls v8.1
Reviewed by Mike Pearlstein, CISSP

Why your renewal got harder

A 2023 cyber-insurance renewal in Canada was a one-page form. A 2026 renewal is a forty-question audit. Underwriters at Marsh, Aon, Gallagher, Burns & Wilcox, Coalition, At-Bay, and CFC have standardized on questionnaires that map line-by-line to CIS Controls v8.1, NIST CSF 2.0, or both. The same control shows up under different question phrasings, but the evidence requirement is identical: produce a date, a system, a screenshot, or a signed policy. “We have it” is no longer an acceptable answer.

For Canadian SMBs in the 10–150 employee range, the practical effect is brutal. Roughly half the questionnaires Fusion has reviewed in 2026 contain at least one control the firm cannot evidence on the day the broker sends the form. The result is a renewal surcharge of 25–60%, a sub-limit on ransomware, an exclusion on social-engineering loss, or an outright declination.

The hardening you are reading about is real: Marsh’s 2025 Global Insurance Market Index reported cyber-renewal premiums up 6–12% sequentially in Canada with control-driven differentiation. Coalition’s 2025 Cyber Claims Report named MFA, EDR, immutable backups, and 24/7 monitoring as the four controls that move loss ratios most. The same controls show up on every insurer questionnaire we have walked through this renewal cycle. Sources: marsh.com, coalitioninc.com, atbay.com.

What’s inside the PDF

Six pages, formatted for partner-meeting use. Cover, framing page, the eighteen-control mapping table, and a working-session next-step. Bring it to the broker call. Bring it to the underwriter call.

Six pages, eighteen controls, one structure per row

Page 1 — Cover with the “Canada’s 50 Best Managed IT Companies 2024 & 2025” badge and author credit
Page 2 — Why cyber-insurance questionnaires are now functional security audits (200-word framing)
Pages 3–5 — The full mapping table for all eighteen CIS Controls v8.1 with insurer questions verbatim
Page 6 — Next steps and the offer to walk the questionnaire with your broker

Every control row tells you four things

The verbatim insurer questions — the 1–2 lines from a typical Marsh / Aon / Coalition questionnaire
The evidence Fusion’s stack produces — the RMM report, EDR coverage matrix, MFA log, SIEM summary, backup-restore test, vendor inventory entry
The common “no” answer that triggers a premium uplift, a sub-limit, an exclusion, or an outright declination — named explicitly
The 30-day path to “yes” — the minimum-viable implementation that produces the evidence an underwriter accepts

The eighteen controls covered

1. Inventory and Control of Enterprise Assets · 2. Inventory and Control of Software Assets
3. Data Protection · 4. Secure Configuration of Enterprise Assets and Software
5. Account Management · 6. Access Control Management (MFA + conditional access)
7. Continuous Vulnerability Management · 8. Audit Log Management
9. Email and Web Browser Protections · 10. Malware Defenses (EDR + 24/7 SOC)
11. Data Recovery (immutable backups + tested restore) · 12. Network Infrastructure Management
13. Network Monitoring and Defense · 14. Security Awareness and Skills Training
15. Service Provider Management (vendor inventory + SOC 2) · 16. Application Software Security
17. Incident Response Management (runbook + tabletop) · 18. Penetration Testing

Get the PDF

We’ll email the cheat sheet within five minutes. We’ll also offer a 60-minute no-charge working session where we walk your questionnaire with you and your broker.

Who this is built for

Canadian SMBs in the 10–150 employee range who have either received a 2026 renewal questionnaire and felt the temperature change, or who are coming up on a first-time cyber-insurance application and want to know what the underwriter will ask before they fill out the form.

Operating roles get the most out of the cheat sheet: founders and CEOs at firms without a dedicated IT director, CFOs and controllers handling the renewal cycle, COOs and operations leads who own the broker relationship. Internal IT leads use it as a translation layer between the underwriter’s language and their own stack. Brokers tell us they use it as the working agenda for the discovery call with the underwriter.

The mapping is industry-neutral. The same eighteen controls show up whether you are a Toronto law firm, a Hamilton manufacturer, a Vancouver accounting practice, an Ottawa wealth firm, or a Mississauga distributor. The questions adjust slightly by sector. The controls do not.

Related resources from Fusion

The cyber-insurance cheat sheet sits inside Fusion’s broader library of practitioner-built compliance and operational evidence templates for Canadian SMBs. If your firm operates inside a regulated profession, the sector-specific resources below are typically the starting point and the cyber-insurance cheat sheet is the second-pass overlay.

Sector-specific evidence packets

CPA Technology Competence Checklist — the line-by-line baseline for Canadian accounting firms covering PIPEDA, CPA Canada, CRA EFILE, and the cyber-insurance overlay
CIRO Third-Party Risk Evidence Template — the vendor-inventory structure CIRO-registered wealth firms produce for Financial and Operations compliance examinations
FIPPA / MFIPPA IT Controls Matrix — the controls inventory Ontario public-sector institutions use for their privacy program

Working with Fusion

Cybersecurity services overview — the operational scope behind every line in this cheat sheet
Managed IT services — the full stack we deploy for 10–150 employee Canadian SMBs
IT business assessment — the 60-minute working-session pattern that produces the cyber-insurance walkthrough we offer brokers
About Mike Pearlstein, CISSP — founder bio and credentials

We will sit with your broker to walk the questionnaire

Have the cheat sheet, the questionnaire, and a renewal date? Book the 60-minute working session and we will map your stack against the eighteen controls together. No-charge, no expectation that you move IT providers to qualify.

Book a Consultation