Download PDF (179 KB)
PDF version — print or share with your team.
Most Canadian small businesses still treat cyber insurance the way they treat fire insurance. You buy a policy, file it in a drawer, and forget about it until something burns. That model is finished. In 2026, a cyber policy is a conditional promise, and the conditions are a list of security controls you attest to on the application and have to keep running every single day.
Statistics Canada found that only 22% of Canadian businesses carried cyber insurance in 2023, which leaves roughly four in five exposed (Statistics Canada, 2024). For the businesses that do apply, the questionnaire has turned into a security audit. Answer it wrong and the policy gets denied, repriced, or paid for years and then refused at the moment you file a claim.
This guide covers the controls carriers now require, why each one matters, and how to tell whether your business would pass today. Fusion Computing completes these applications with Canadian clients every renewal season, so the examples below come from real files, not theory.
Key Takeaways
- Only 22% of Canadian businesses carried cyber insurance in 2023, and the coverage terms for those who do are tightening fast.
- Insurers now scrutinize eight core controls. Multi-factor authentication on every account is the single most-checked line on the form.
- Signature antivirus is treated as legacy. Underwriters expect EDR, plus immutable backups with a tested restore.
- Your biggest exposure is not the premium. It is a claim denied for material misrepresentation after a breach.
- PIPEDA already requires you to report serious breaches, and insurers underwrite to that legal duty.
What “cyber insurance requirements” mean in 2026
Cyber insurance requirements are the specific security controls an insurer makes you attest to before it will write or renew a policy. In 2026 those attestations function as warranties. If a control you claimed was in place turns out to have a gap, the carrier can dispute, reduce, or deny your claim. The policy is the floor those controls create, not a blanket you can pull over a weak setup.
The shift is visible in renewal data. Among Canadian organizations, recent insurer changes included verifying current security measures (39%), raising premiums (38%), and changing the eligibility rules to obtain or renew coverage (37%), according to the 2024 CIRA Cybersecurity Survey.
That is why the smart way to read the application is as a checklist of what good looks like. Close the gaps it exposes and you are not just insurable. You are genuinely harder to breach. Our cybersecurity services team treats the questionnaire as the deploy backlog for exactly that reason.
The eight controls insurers now require
Underwriters cluster around the same core set of controls regardless of carrier. The insurer Coalition names multi-factor authentication, endpoint detection and response, secured backups, identity and access management, and a tested incident response plan as the essentials, with MFA the most scrutinized of all (Coalition, 2025). The table below shows what each control means on the form and why it earns the scrutiny.
| Control | What underwriters expect | Why it matters |
|---|---|---|
| Multi-factor authentication | Enforced on email, VPN, remote access, and every admin account, using number-matching or phishing-resistant methods | Stops the stolen-credential attacks behind most breaches |
| Endpoint detection and response | Behaviour-based EDR or XDR on 100% of endpoints, not signature antivirus | Catches and isolates threats that antivirus misses |
| Immutable and offline backups | Encrypted offline or immutable copies, plus a recent restore you actually tested | Lets you recover without paying a ransom |
| Identity and privileged access | Least-privilege roles, separated admin accounts, conditional access | Limits how far an intruder can move once inside |
| Tested incident response plan | A written plan with named roles, exercised in the last 12 months | Shortens dwell time and proves due diligence |
| Email security | DMARC enforced, advanced phishing and attachment filtering | Closes the top entry point for fraud |
| Patch and vulnerability management | A defined SLA for critical patches and no exposed end-of-life systems | Removes the known flaws attackers scan for |
| Security awareness training | Regular phishing simulation and staff training with records | Reduces the human-click risk that opens the door |
None of this is arbitrary. Fusion Computing maps each of these eight controls to CIS Controls v8.1, the same baseline we use for managed clients, so the insurer requirement and the security baseline are the same work done once.
Book a controls review before your next cyber insurance renewal →
Why MFA is the single make-or-break control
Multi-factor authentication on every account is the most-scrutinized line on any cyber application, and the easiest one to get wrong. Insurers ask whether MFA is enforced on email, VPN, remote access, and privileged accounts. A “yes” that only covers email is the gap that voids coverage. Legacy SMS codes no longer satisfy most carriers, who now expect number-matching or phishing-resistant methods.
Key stat
Microsoft reports that MFA blocks more than 99.2% of account-compromise attacks (Microsoft Entra, 2026). It is the cheapest high-impact control on the entire application.
In practice, the two answers that most often fail an application are whether MFA is truly on every account and the date of the last tested backup restore. Both feel like a quick “yes” under time pressure. Both are easy for a forensics team to disprove later.
EDR and immutable backups: the two controls that sink applications
Signature antivirus is treated as legacy. Underwriters want endpoint detection and response that watches behaviour in real time and can isolate a compromised device on its own. They also want backups that are immutable or offline, with a restore you have actually tested and dated. These two controls quietly fail more applications than any others.
The questions people answer wrong are specific: the percentage of endpoints actually covered by EDR, and the date of the last successful restore test. A Hamilton manufacturer we onboarded, around 120 endpoints, looked covered on paper. They had MFA on email, antivirus on most machines, and nightly backups.
What they did not have was EDR, MFA on the VPN or a shared admin login, or a restore test in over a year. That combination is a declined application.
Across roughly 30 renewals Fusion Computing has handled since 2022, moving an antivirus-only client to EDR at full coverage is usually the single biggest lift on the form. Our disaster recovery approach pairs that with immutable backups and a scheduled restore test, so the backup answer is true and provable.
The application is now a line-by-line security audit
The cyber application used to be a single page. It has grown into a detailed control questionnaire mapped to frameworks like CIS Controls and NIST CSF. Every answer is a warranty. Your responses become contractual representations the insurer can hold you to if a claim is ever filed. The domains below are now standard.
| Domain | What the application asks |
|---|---|
| Identity and access | MFA coverage, conditional access, privileged-account separation |
| Endpoint security | EDR or AV vendor, version, deployment coverage percentage |
| Email security | DMARC posture, phishing filtering, attachment sandboxing |
| Backup and recovery | Frequency, retention, immutability, offline copy, last restore test |
| Network security | Firewall, segmentation, remote-access controls |
| Patch management | Critical-patch SLA, end-of-life systems, vulnerability scanning |
| Third-party risk | Vendor access, supplier security review |
| Incident response | Written plan, named roles, last test date |
| Training | Awareness program, phishing simulation cadence |
| Prior incidents | Past breaches, claims, regulatory notices |
Reading the form this way is useful even before you buy. A cybersecurity assessment against these same domains tells you where you stand and what to fix first, which is the order the insurer cares about too.
How cyber insurance claims actually get denied
The most damaging denial reason is material misrepresentation. You attested to a control on the application, then a forensics team found it was not fully in place when the incident happened. The claim is denied, and the years of premiums you paid buy nothing. The policy is the floor your controls create, so claim denial, not the premium, is the real exposure.
Warning
The most expensive outcome is not a declined application. It is a declined claim. If you attest that MFA is on every account and forensics later finds three mailboxes without it, the insurer can rescind coverage for material misrepresentation. A US case, Travelers v. International Control Services, turned on exactly this, with the carrier moving to void a policy after finding the attested MFA was not in place.
There are quieter denial paths too. A control that lapses between renewals, a known vulnerability you left unpatched, or a breach you reported late can all sink a claim. This is the answer to the common objection that the insurer will simply handle it.
Cyber insurance pays the claim. It does not stop the claim, and it will not pay one you cannot stand behind. A documented and tested incident response plan is part of keeping the policy honest.
“We thought we were covered. The application asked if MFA was on everything and we said yes, because it was on email. Fusion Computing showed us the VPN and our admin account were wide open. We fixed all of it before renewal, passed, and the premium actually came down.” Operations director, Hamilton manufacturer, roughly 120 endpoints.
What being uninsured or underinsured costs a Canadian SMB
The downside is concrete, and it is Canadian. IBM put the average cost of a data breach in Canada at CA$6.98M in 2025, up 10.4% from the year before, with phishing-initiated breaches averaging CA$7.91M (IBM, 2025). For a small business, a single uninsured event at that scale is rarely survivable.
Get a CISSP to verify your MFA, EDR, and backups →
Why Canadian firms bring this work to Fusion Computing
CISSP-led, a Microsoft Solutions Partner and a CompTIA Managed Services Trustmark holder, securing IT for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
Fraud is the more common hit. The Canadian Anti-Fraud Centre logged hundreds of millions in reported fraud losses in 2024, and it estimates only 5 to 10% of fraud is ever reported. Business email compromise and funds-transfer fraud together made up 60% of cyber claims in 2024, according to the Coalition 2025 Cyber Claims Report.
Ransomware remains the headline threat. Statistics Canada found 13% of impacted businesses reported a ransomware incident, and 88% of those hit did not pay. The lesson in that number is that recoverable backups, an insurable control, are what let a business refuse the demand. Strong data security and compliance turns those statistics into a plan rather than a fear.
PIPEDA, breach reporting, and why insurers care
Canadian law already obligates you, and insurers underwrite to it. Under PIPEDA, you must report any breach posing a real risk of significant harm to the Office of the Privacy Commissioner, notify the affected individuals, and keep records of every breach for at least 24 months. Knowingly failing to report is an offence carrying fines up to $100,000 CAD (OPC, current).
Insurers read that duty as part of your risk. A business that cannot show a breach-reporting process is a business that may mishandle the very incident the policy covers.
The threat backdrop reinforces it. The Canadian Centre for Cyber Security calls ransomware the top cybercrime threat facing Canada in its assessment for 2025 and 2026 (CCCS, 2024). The same regulatory pressure now shapes adjacent laws, which our explainer on Bill C-8 covers in more depth.
Your 2026 cyber insurance readiness checklist
Before you touch the application, score yourself honestly against the controls insurers test. A clean “yes” to all ten means you are ready to apply and, more to the point, genuinely defensible. Any “no” is a gap to close first, because answering “yes” when the answer is “no” is how claims get refused.
Readiness checklist
- MFA enforced on email, VPN, remote access, and every admin account.
- EDR or XDR deployed on 100% of endpoints, not signature antivirus.
- Immutable or offline backups with a restore tested in the last 90 days.
- A written incident response plan, with named roles, tested this year.
- DMARC enforced and advanced phishing filtering in place.
- A defined SLA for critical patches and no end-of-life systems exposed.
- Privileged access separated from daily-use accounts.
- Security awareness training and phishing simulation running on a schedule.
- Vendor and third-party access reviewed.
- A breach-notification process aligned to PIPEDA.
If you want the scored version, our compliance readiness assessment walks through these controls and shows where the gaps are. From there, Fusion Computing reviews each gap with a CISSP and maps it to a fix, so the next renewal is a formality rather than a scramble.
The bottom line on cyber insurance requirements
Cyber insurance in 2026 rewards businesses that can prove their controls. Treat the renewal questionnaire as your security to-do list, close the gaps before you sign, and the policy becomes a real backstop. Fusion Computing reviews these controls with Canadian SMBs and maps every gap to a fix.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
What security controls do cyber insurers require in 2026?
Most carriers cluster around eight controls: multi-factor authentication on every account, EDR or XDR on all endpoints, immutable or offline backups with a tested restore, identity and privileged access management, a tested incident response plan, DMARC and phishing filtering, patch management, and security awareness training. MFA is the most scrutinized line on the application.
Is cyber insurance mandatory for businesses in Canada?
No federal law makes cyber insurance mandatory for most Canadian businesses. It can still be required by a contract, a lender, or a larger client’s vendor terms. Separately, PIPEDA requires you to report serious breaches and keep breach records, so a legal duty exists even when the insurance itself is optional.
Does cyber insurance require multi-factor authentication?
Yes. MFA is the control underwriters check first, and most carriers will not write or renew a policy without it enforced on email, VPN, remote access, and admin accounts. SMS codes often no longer qualify. Insurers increasingly expect number-matching or phishing-resistant MFA, because Microsoft reports it blocks more than 99.2% of account-compromise attacks.
Worried about a denied claim? Talk through your coverage gaps with us →
Can an insurer deny my cyber insurance claim?
Yes. The most common serious reason is material misrepresentation, where you attested to a control on the application and a forensics review later found a gap. Claims can also be denied when a control lapses between renewals, a known vulnerability went unpatched, or a breach was reported late. The policy only protects controls you can prove.
What is material misrepresentation on a cyber insurance application?
Material misrepresentation means an answer on your application was inaccurate in a way that affected the insurer’s decision to cover you. If you stated MFA was on every account and an investigation found mailboxes without it, the carrier can rescind the policy and refuse the claim. Application answers are treated as warranties, not estimates.
Is antivirus enough, or do I need EDR for cyber insurance?
Traditional signature antivirus is treated as legacy and rarely satisfies underwriters now. They want endpoint detection and response, EDR or XDR, that watches behaviour in real time and can isolate a compromised device automatically. Expect the application to ask for your EDR vendor, version, and the exact percentage of endpoints it covers.
What kind of backups do cyber insurers require?
Insurers want backups that ransomware cannot reach or encrypt, which means immutable or offline copies kept separate from production. They also ask for the date of your last successful restore test, not just whether backups run. A backup you have never restored does not count as a working recovery control on the form.
How much does a data breach cost a Canadian business?
IBM put the average cost of a data breach in Canada at CA$6.98 million in 2025, up 10.4% from the prior year, with phishing-initiated breaches averaging CA$7.91 million. Most small businesses cannot absorb a single event at that scale, which is the core reason cyber insurance and strong controls matter together.
How do I prepare for a cyber insurance application or renewal?
Treat the questionnaire as a security checklist and close the gaps before you sign. Confirm MFA on every account, EDR on all endpoints, immutable backups with a recent tested restore, a tested incident response plan, DMARC, patching, and training. A readiness assessment scores each control so your answers are accurate and provable.
Does PIPEDA require me to report a data breach?
Yes. Under PIPEDA you must report any breach posing a real risk of significant harm to the Office of the Privacy Commissioner, notify the affected individuals, and keep records of every breach for at least 24 months. Knowingly failing to report is an offence that can carry fines up to $100,000 CAD.
