Updated
In one paragraph
Canadian cyber-insurance carriers — Beazley, Coalition, Chubb, Travelers, Liberty Mutual, Northbridge, Intact, Sovereign, and others — converged on a roughly common set of 13 control questions during 2023-2025. If your business cannot demonstrate the controls on this matrix, your application is likely to be denied, your premium is likely to be priced up by 25-100%, or your coverage is likely to carry exclusions for the unmet controls. This matrix shows each control, what carriers typically ask, the evidence they expect, and the CIS Controls v8.1 safeguard that maps to it. Use it as a pre-application self-assessment.
How Canadian cyber-insurance underwriting works in 2026
Canadian cyber-insurance carriers tightened underwriting significantly after the 2020-2022 ransomware cycle. By 2024 the application was no longer a one-page form; it became a 60-150 question controls survey, often with carrier-side technical scanning (BitSight, SecurityScorecard, or equivalent). The questions cluster into 13 control areas. Failing any single control will not necessarily disqualify you — but failing multiple controls, especially endpoint protection, MFA, and backup, will.
The denial / pricing posture in 2026 is roughly:
- No MFA on email + no MFA on remote access → application typically declined.
- No EDR / next-gen endpoint protection → application typically declined or premium increased 50-100%.
- No tested, immutable backups → premium typically increased 25-50%; ransomware sub-limit applied.
- No employee security awareness training program → premium increase or social-engineering exclusion.
- No documented incident response plan → premium increase or breach-response sub-limit.
The 13-control readiness matrix
The 13 control areas below cover virtually every question a Canadian cyber-insurance application will ask in 2026. Each row shows the typical question, the evidence the underwriter expects, the CIS Controls v8.1 safeguard alignment, and the implementation pattern we deploy.
| # | Control area | Typical underwriting question | Evidence expected | CIS v8.1 |
|---|---|---|---|---|
| 1 | MFA on email | “Is MFA enforced on all email accounts including admin?” | M365/Google Workspace MFA policy export | 6.3, 6.5 |
| 2 | MFA on remote access | “Is MFA enforced on VPN, RDP, and SaaS admin?” | Conditional Access screenshots | 6.4 |
| 3 | EDR / Next-gen AV | “What EDR product is deployed on all endpoints?” | Coverage report from EDR console | 10.6, 10.7 |
| 4 | Email security gateway | “What email filter, with what config?” | Defender for O365 / Proofpoint policy | 9.1, 9.6 |
| 5 | Immutable backups | “Are backups immutable / air-gapped? Date of last successful test restore?” | Restore-test report signed by IT lead | 11.1, 11.4, 11.5 |
| 6 | Patch SLA | “What is your patching SLA for critical CVEs?” | RMM patch-compliance report | 7.3, 7.4, 7.7 |
| 7 | Privileged Access Mgmt | “How are domain-admin and SaaS-admin accounts managed?” | PIM policy + quarterly review export | 5.4, 6.7, 6.8 |
| 8 | Network segmentation | “Are critical systems on a segmented network?” | Network diagram + VLAN matrix | 12.2, 12.4 |
| 9 | Logging + SOC | “Do you have 24/7 monitoring? Where do logs go?” | SIEM/SOC service description + sample alerts | 8.1, 8.5, 8.11 |
| 10 | Security awareness training | “Frequency of phishing simulations? Mandatory training?” | KnowBe4 / equivalent dashboard | 14.1, 14.3 |
| 11 | Incident response plan | “Documented IRP? Date of last tabletop?” | IRP doc + tabletop report | 17.1, 17.4 |
| 12 | Vendor risk management | “Inventory of vendors with material access? Their controls?” | Vendor inventory + attestations | 15.1-15.7 |
| 13 | Wire / payment controls | “Out-of-band verification for vendor banking changes?” | Documented payment-change SOP | 3.3, 14.6 |
The four most common reasons coverage is denied
- Endpoint coverage gaps. EDR deployed to 85% of endpoints reads as “no EDR” to most underwriters. They expect ≥ 95% coverage with the gap explained.
- Backups never restore-tested. “We back up nightly” is not evidence. Carriers want a dated restore-test report, ideally within the last 6 months.
- MFA bypass exceptions. A small number of executive accounts excluded from MFA is a common, fatal answer. The exception list should be zero or carry compensating controls.
- Inconsistent incident response. No written IRP, no tabletop in 24 months, no named breach coach or external counsel — the carrier infers their loss-adjustment costs.
How this matrix relates to the cyber-insurance coverage checklist
Our cyber-insurance coverage checklist covers what insurers require at the policy-level (MFA, EDR, backup verification, employee training). This readiness matrix is the operational layer below that — what specific evidence the carrier wants when they ask, and which CIS Controls v8.1 safeguards map to each.
Use the checklist to decide whether you should be applying for coverage now. Use this matrix to assemble the actual application evidence package.
About this matrix
This matrix is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited. Fusion Computing supports Canadian SMBs through cyber-insurance application and renewal processes, including assembling the controls-evidence package and remediating gaps before underwriting. We are a Microsoft Solutions Partner (Security, Modern Work, Infrastructure) and a CompTIA Managed Services Trustmark holder.
If you’d like a PDF version or want a pre-application assessment, book a 30-minute consult.
