← All insights Insights

What Canadian Cyber Insurers Now Require Before They'll Cover You

May 20, 2026 · Kapa Canada

A few years ago, cyber insurance was relatively easy to get. That has changed. After a wave of expensive ransomware claims, insurers tightened up — and today, cyber insurance requirements in Canada include a real list of security controls you must have before a policy will be issued or renewed. Application questionnaires have gone from a single page to detailed technical audits.

If you’re applying or renewing, here’s what insurers now expect to see.

Multi-factor authentication (MFA)

This is the big one. Insurers expect MFA on email, on remote access (VPN and remote desktop), and on administrator accounts at a minimum — many now want it everywhere. Missing MFA is one of the fastest ways to get an application declined.

Endpoint detection and response (EDR)

Traditional antivirus is no longer enough for most insurers. They want modern endpoint detection and response on your devices — technology that can spot and stop suspicious behaviour, not just known viruses.

Tested, secured backups

Because backups are a business’s main defence against ransomware, insurers ask about them in detail: Are they recent? Are they tested? Are they kept offline or immutable so an attacker can’t encrypt them too? “We have backups” is no longer a sufficient answer.

Security awareness training

Since phishing causes so many claims, insurers increasingly expect ongoing staff awareness training, often including simulated phishing tests.

A patching and vulnerability process

Insurers want evidence that known vulnerabilities get found and fixed on a regular schedule — not just whenever someone gets around to it.

An incident response plan

You may be asked whether you have a written incident response plan, and whether it has been tested. It shows the insurer you can react quickly and limit a loss.

Other controls insurers commonly ask about

  • Email filtering and anti-phishing protection
  • Limiting and protecting administrator (privileged) accounts
  • Logging and monitoring of activity
  • Network segmentation

What happens if you don’t have them

Gaps have real consequences. Depending on the insurer, missing controls can mean a declined application, a higher premium, lower coverage limits — or, worst of all, a denied claim later because you didn’t actually have a control you said you had. Answer questionnaires honestly and accurately.

How a managed security provider helps

Most of the controls on an insurer’s checklist — MFA, EDR, monitoring, vulnerability management, incident response, awareness training — are exactly what a managed security service delivers. Working with an MSSP not only helps you qualify for better coverage, it gives you accurate answers for the questionnaire and the evidence to back them up.

If a renewal or application is coming up, get in touch and we’ll help you close the gaps insurers care about — and explore our services to see how they map to the checklist.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us