Cyber Insurance Readiness · Vancouver, BC

Cyber Insurance Readiness for BC Businesses

Cyber insurance renewals have changed. What was a one-page form in 2020 is now a 40-question underwriter questionnaire, and answering yes when you should have answered no is a fast path to a denied claim. Hexafusion helps Vancouver and Lower Mainland businesses pass their renewals honestly, with the controls, documentation, and evidence underwriters expect.

What Canadian cyber insurance underwriters now require

Across the carriers writing policies for Canadian small and mid-market businesses, including Chubb, Zensurance, Aon, Foxquilt, Boardwalk, Intact, and the Lloyd's syndicates behind many broker-placed policies, the control list has converged. If you cannot answer yes to most of the items below, you are either uninsurable or quoted at a premium that reflects the risk.

• Multi-factor authentication on all email, all remote access, and all administrator accounts. This is table stakes. Phone or SMS is now considered weak by some carriers, authenticator apps or hardware keys preferred.
• Endpoint detection and response (EDR) on all endpoints. Traditional anti-virus no longer qualifies. Microsoft Defender for Endpoint, SentinelOne, CrowdStrike, Sophos Intercept X, and similar are what carriers expect.
• Tested offline or immutable backups. Not just backups that exist. Backups that have been successfully restored within the last 90 days, with a signed test record, and at least one copy that ransomware cannot reach from the production network.
• Ongoing phishing training and simulated phishing campaigns. At least annually, preferably quarterly, with results by user and a remediation path for repeat clickers.
• Written information security policy. A living document that is reviewed annually, signed off by leadership, and distributed to staff.
• Written incident response plan. Who calls whom, at what number, in what order, with contact details for breach counsel, insurance, and technical response.
• Vulnerability patching cadence. Critical patches within 14 days, high within 30. Documented exceptions for legacy systems.
• Privileged access management. No day-to-day use of Global Admin or Domain Admin accounts. Separate admin accounts, or just-in-time elevation, with MFA.

The typical questionnaire gap

We see the same five questionnaire traps every renewal cycle. Answering them optimistically is what causes claims to be denied after a loss. Answering them honestly is what lets you scope a realistic remediation plan with your broker.

• "Is MFA enforced on all remote access and all cloud email?" Many businesses have it enforced on most accounts but have carved exceptions for a CEO who hates the extra step, a shared mailbox, or a service account. Every exception is a hole, and claims adjusters find them.
• "Are backups tested and immutable?" Having Veeam or Datto installed is not the same as having a restore that was actually performed and logged this quarter. A valid answer is "yes, last tested on [date]" with the test record available.
• "Do you have EDR deployed on all endpoints?" Most environments have one or two unmanaged laptops, a forgotten kiosk, or a server that was excluded because an agent once caused a performance issue. Those are the machines that get hit first.
• "Do you conduct regular phishing training?" "We sent one video out two years ago" is not regular. Carriers want to see a platform log, user completion rates, and simulated-phishing results over time.
• "Do you have a written incident response plan?" A document that lives in someone's head does not count. Carriers want to see the PDF, the last revision date, and the contact list.

Our cyber insurance readiness package

We run the readiness engagement in four phases. At the end you have documented evidence for every question on the questionnaire, a remediation plan for gaps, and a security posture the underwriter will recognize.

• Current-state assessment. We run your environment against the consolidated underwriter requirements and map each control to evidence. Output: a scored readiness report you can share with your broker.
• Gap analysis. Every failed or partial control gets a specific remediation, an effort estimate, and a deadline. Priorities follow what the carriers weight most heavily.
• Remediation roadmap. We execute the fixes. MFA enforcement, EDR deployment, backup immutability, privileged access separation, phishing training rollout, documented policies and procedures.
• Documentation bundle. A single PDF bundle with the information security policy, incident response plan, acceptable use policy, backup test records, phishing training logs, patch reports, and MFA coverage attestation. Hand this to your broker.
• Renewal support. We join the underwriter call if invited, answer technical questions, and keep the evidence current through the policy period.

PIPEDA and BC PIPA context

Canadian privacy law and cyber insurance requirements overlap more than most owners realize. Under the federal Personal Information Protection and Electronic Documents Act, you must safeguard personal information with security measures appropriate to the sensitivity of the data. Under British Columbia's Personal Information Protection Act, private-sector organizations in BC carry similar obligations. Both statutes turn a "reasonable safeguards" question into a concrete list: encryption, access control, logging, training, breach response.

Cyber insurers read the same guidance. If you pass the insurance questionnaire honestly, you are also meeting the bar that the Office of the Privacy Commissioner of Canada expects on breach response. See the Commissioner's guidance at priv.gc.ca, the federal Get Cyber Safe program at getcybersafe.gc.ca, and the Insurance Bureau of Canada's cyber risk resources at ibc.ca.

Works with your insurance broker

We do not sell insurance and we do not have a preferred broker. Your broker shops the market, negotiates premium, and advocates on claims. We produce the technical evidence and remediate the gaps. The division of labour works: brokers get a client they can actually place, and you get a renewal that does not spiral upward year after year.

If you do not yet have a broker, we will make introductions to brokers we have worked with across Vancouver who understand Canadian privacy law and who do not push policies with exclusions that gut the coverage. If you do have a broker, we take their questionnaire as the input and work from it.

Industries we work with on cyber insurance

Professional services, legal, dental, medical, accounting, construction, real estate, logistics, manufacturing, and non-profit. Each industry has specific questionnaire concerns: legal gets asked about client data segmentation and trust accounting, dental and medical about patient records and imaging systems, accounting about tax-season surge access, logistics about OT and shipping systems. We have walked through each of these with Vancouver businesses.

Frequently Asked Questions

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).