Every year the cyber insurance application grows. What started as a two-page form is now a 40-question security questionnaire, often with follow-up calls and external validation. The 2026 renewal cycle has also normalised specific technical minimums: applications that would have been accepted in 2022 are now declined outright, and coverage sublimits for social engineering and ransomware have tightened. None of this is unfair. It reflects what insurers have paid out over the past five years.

The Controls Underwriters Actually Check

Different insurers ask the questions in different words, but the technical content is remarkably consistent. If you can honestly tick every item below, renewal is straightforward. If you cannot, expect either rate increases, sublimits, or a decline.

1. Multi-factor authentication everywhere

Not just "for admins". MFA on every email account, VPN, remote desktop gateway, cloud admin console, and privileged server. Phishing-resistant methods (FIDO2 or number-matching push) are preferred. SMS-based MFA is increasingly flagged as insufficient for administrative accounts. This is the single most common decline reason we see.

2. Endpoint detection and response on every endpoint

Every server, every laptop, every workstation. Traditional antivirus no longer satisfies the question "what EDR do you use?". Underwriters are asking for product names and asking whether alerts are monitored 24/7 by a person. If your EDR is installed but no one is watching the alerts, that counts against you.

3. Tested offline or immutable backups

Three questions inside one: are backups being made, are they stored in a form the attacker cannot reach from the production network, and have they been test-restored recently. "We have backups" is not sufficient. "We restore-tested last quarter and the runbook is documented" is.

4. Security awareness training

An annual phishing simulation programme with tracking, remedial training, and board-level reporting. Underwriters ask how often you run simulations and what your click-through rate looks like. Too high a rate is a flag. Never running one is worse.

5. Written incident response plan

A documented plan that names the decision-makers, lists the incident response retainer or insurance hotline, describes the notification thresholds, and has been reviewed in the last 12 months. Bonus points if a tabletop exercise has been run.

6. Patching cadence

Critical vulnerabilities patched within 7 to 14 days. Internet-facing systems patched faster. No end-of-life operating systems on the network. Underwriters now run external scans; unpatched edge devices (VPN concentrators, firewalls, on-prem Exchange, legacy file transfer appliances) are a flag that often results in a conditional renewal or a decline.

7. Privileged access management and conditional access

Global Admin, Domain Admin, and root-level accounts are used only for administrative tasks and require MFA plus conditional access (location, device compliance). No admin accounts used for email or web browsing. Just-in-time elevation is a positive factor.

8. Email authentication

SPF, DKIM, and DMARC configured on all sending domains, with DMARC at least at p=quarantine and ideally p=reject. Some underwriters now check this externally before asking.

9. Network segmentation

Flat networks where a compromised workstation can talk to the file server, the backup server, and the production database are increasingly rejected. At minimum, separation between user, server, backup, and guest networks.

10. Third-party risk

Do you have an IT provider or service providers with access to your environment, and do they themselves carry cyber insurance and run these controls? Supplier compromise is a growing claim category and underwriters ask about it.

What Gets You a Flat Decline

In 2026, these are the immediate-decline items we see from Canadian cyber carriers.
  • No MFA on cloud administrative accounts.
  • End-of-life Windows Server versions still in use (Server 2012 R2 and older without extended security updates).
  • Publicly exposed Remote Desktop (RDP) on the open internet.
  • Unpatched critical vulnerabilities on internet-facing devices when the underwriter's external scan runs.
  • No documented or tested backup recovery, or backups that are visible and writable from the production domain.
  • Prior ransomware or BEC incident within 12 months without a documented remediation.
  • Refusal to allow the external scan or questionnaire completion.

What Gets You a Rate Increase Instead

Partial compliance often produces a higher rate rather than a decline, along with sublimits. Common patterns:

  • MFA in place but not on every service (VPN or legacy apps missing).
  • EDR deployed but not monitored 24/7.
  • Backups tested annually but not documented.
  • No written incident response plan.
  • No DMARC on primary sending domain.

Social engineering, funds transfer, and ransomware sublimits are the most common way insurers cap exposure on partially-compliant applicants. A policy with a high overall limit but a small social-engineering sublimit is not as protective as it looks; see our guide to cyber liability insurance in BC.

The Renewal Prep Checklist

Four to six weeks before renewal, run through this list with your IT provider. Fix what you can. Document what you cannot fix yet and explain the compensating controls in the application narrative.

  • MFA enforced on all user accounts, not just administrators.
  • Conditional access blocking legacy authentication and foreign sign-ins.
  • EDR deployed and monitored on every endpoint and server.
  • Offline or immutable backups with a tested restore in the last 90 days.
  • Patch report showing critical vulnerabilities patched within policy.
  • No end-of-life operating systems, or a written retirement plan with a date.
  • No public RDP; all remote access via VPN or zero trust gateway with MFA.
  • Incident response plan reviewed in the last 12 months.
  • Phishing simulation run in the last 90 days with click-through metrics.
  • DMARC at p=quarantine or p=reject on all sending domains.
  • Privileged accounts separated from daily-use accounts.
  • Documented offboarding procedure for IT and privileged users.
Be honest on the application. Material misrepresentation on a cyber application is one of the cleanest coverage disputes a carrier has. If you said you had MFA on all accounts and a post-incident investigation shows you did not, the claim can be denied and the policy rescinded. If you are not there yet, say so and describe the plan.

Useful References

Ready Your Environment for Renewal

Hexafusion runs renewal readiness assessments against the controls Canadian insurers actually check. We identify the gaps, quantify the remediation, and help you document compensating controls where full remediation is not possible yet. Request a quote to scope an assessment.

Request a Quote    Our security services

Related articles: Cyber Liability Insurance in BC · Compliance in Canada by Industry · Ransomware: The First 60 Minutes

← Back to Blog