What do cyber insurers actually require from a small business?
Cyber insurers now expect a defined set of security controls before they will quote or renew a small business: multi-factor authentication, endpoint detection and response, tested backups that are kept offline, regular patching, least-privilege access, staff security training, and a written incident response plan. These controls have moved from optional to expected. On most applications, missing controls mean a higher premium, a lower limit, a coverage exclusion, or a declined application.
The Insurance Bureau of Canada's Cyber Savvy insurance guide reflects most of this same core set. Drawing on Get Cyber Safe and the Canadian Centre for Cyber Security, it recommends multi-factor authentication for log-in protection beyond passwords, backing up critical data, keeping software and systems patched, limiting access to sensitive information, training employees, and creating a written incident response plan. The guide does not name endpoint detection and response among these proactive controls. It raises EDR only in its post-incident checklist, which we cover further down.
Each control on the list closes off a common way small businesses get breached, so the exercise is about real risk reduction rather than filling in a form. Underwriters ask about these controls because they have paid claims where a missing one was the difference between a minor incident and a business-ending one.
- Multi-factor authentication (MFA) on email, remote access, and admin accounts.
- Endpoint detection and response (EDR) on computers and servers.
- Backups of critical data, tested and kept offline or otherwise isolated.
- Regular patching of operating systems, applications, and firmware.
- Least-privilege access so people can only reach what their role needs.
- Security awareness training for all staff, including phishing.
- A written incident response plan that names who does what.
Why have cyber insurance requirements tightened?
Requirements tightened because claims rose and insurers started pricing risk on the controls a business actually has in place. Ransomware, business email compromise, and data theft became common and expensive, so underwriters moved from a short questionnaire to a detailed one and began declining businesses that could not show basic protections.
The Canadian numbers show the pressure. According to Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime, 22 percent of Canadian businesses held cyber risk insurance in 2023, up from 16 percent in 2021, while only 26 percent had written cyber security policies, unchanged from 2021. About one in six businesses, 16 percent, were affected by a cyber security incident that year. Total spending to recover from incidents roughly doubled, from about 600 million dollars in 2021 to 1.2 billion dollars in 2023.
The severity at the individual level is what worries underwriters. The Insurance Bureau of Canada's Cyber Savvy guide states that a single data breach could cost a Canadian business as much as 7 million dollars, citing a 2025 IBM report. When a rare claim can be that large, insurers respond by requiring the controls that make a claim less likely and less severe, and by asking harder questions before they take the risk on.
What will the insurance application ask me?
Expect a detailed questionnaire, not a one-page form. According to the Insurance Bureau of Canada's Cyber Savvy guide, when you apply for cyber insurance you will likely have to complete an application insurers use to assess your risk and price the policy. It covers what personal and financial data you collect, your security controls, the technology you use for encryption and authentication, your antivirus and firewalls, and whether you provide security and privacy training to all staff.
The Insurance Bureau of Canada also points owners to its Cyber Insurance Assessment, a self-assessment questionnaire. IBC says the questions are similar to those you might see on a cyber insurance application, and describes the free tool as covering the cyber security protocols and best practices that most cyber insurers look for. IBC is candid that the free tool cannot provide an actual risk assessment, but it helps you gauge whether your business is a good candidate for coverage.
Your answers need to be true and documented. Insurers can and do check, and a claim can be disputed if the controls you attested to were not actually in place. Treat the application as a description of what you really run, not what you intend to set up later.
- What personal and financial data you collect and store.
- Your security measures for preventing access to IT systems and servers.
- The technology you use for encryption and authentication.
- Antivirus, anti-malware, and firewalls.
- Whether all staff receive security and privacy training.
How do these requirements line up with recognized Canadian controls?
The controls insurers ask for map closely to the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations. That guidance targets organizations with fewer than roughly 500 employees and applies the 80/20 principle, aiming to achieve 80 percent of the benefit from 20 percent of the effort. If you follow the baseline, you are covering most of what an insurer will ask about.
The overlap is close to one-for-one. The Cyber Centre recommends two-factor authentication wherever possible, a written incident response plan that names who handles incidents, automatic patching for software and hardware, backups of essential systems stored encrypted and offline, security awareness training, security software that updates and scans automatically, and least-privilege access control. Those are the same items on an insurance questionnaire, described in a Canadian government framework rather than an underwriter's form.
This gives you a neutral, credible reference to build against. Rather than chasing one insurer's wording, you can implement a recognized baseline and then answer any insurer's questions from the same foundation. It also means the work you do for insurance doubles as genuine risk reduction rather than box-ticking.
- Two-factor authentication wherever possible (BC.5).
- Written incident response plan naming who handles incidents (BC.1).
- Automatic patching for software and hardware (BC.2).
- Backups of essential systems, stored encrypted and offline (BC.7).
- Security awareness training (BC.6).
- Enable security software that updates and scans automatically (BC.3).
- Least-privilege access control (BC.12).
How do you prepare before you apply?
Prepare by putting the controls in place first, then gathering the evidence that proves they are working. The order matters. Turning on MFA the week before you apply is fine, but you will answer more confidently, and defend a future claim more easily, if the controls have been running and you can show it.
Work through the core set in a sensible order. Start with MFA on email, remote access, and administrator accounts, since account takeover is one of the most common entry points. Deploy EDR on every computer and server. Get backups tested and isolated so ransomware cannot reach them. Set patching to run automatically and confirm it is actually happening. Tighten access so staff only reach what their role needs. Run security awareness training so people can spot phishing. Write down an incident response plan that names who to call and what to do.
After an incident, some of the same controls come up again. The Insurance Bureau of Canada's Cyber Savvy guide includes a post-incident checklist that tells businesses to change passwords on compromised and related accounts, determine what data was affected, and incorporate advanced security measures such as endpoint detection and response and multi-factor authentication to manage employee access, then report the incident to their cyber insurer, the Canadian Centre for Cyber Security, and the Canadian Anti-Fraud Centre. Insurers commonly expect EDR up front, and its appearance in the guide's recovery steps shows it is treated as a serious measure, not an optional extra.
- Enable MFA on email, remote access, and admin accounts.
- Deploy EDR across all endpoints and servers.
- Test your backups and keep at least one copy offline or isolated.
- Automate patching and verify it is running.
- Enforce least-privilege access and remove stale accounts.
- Train all staff on phishing and safe handling of data.
- Write and store an incident response plan people can find fast.
How does Itsultant help you meet these requirements?
Itsultant is a Canadian-owned IT consulting and cybersecurity firm that works with small and medium businesses and non-profits, and getting clients ready for cyber insurance is part of what we do. We put the controls insurers ask for into place, MFA, endpoint detection and response, tested and offline backups, patching, least-privilege access, staff training, and a written incident response plan, using open-source tools where they fit, such as Wazuh, OpenVAS, and Suricata, so you are not paying per-seat licence fees for the software itself.
We align the underlying security work to recognized frameworks, the CIS Controls and the NIST Cybersecurity Framework, and we map controls to Canadian privacy law, PIPEDA and Ontario's PHIPA where health information is involved. To be accurate about what that means: these are frameworks we align to, not certifications we hold. The value is that your controls are organized against a credible standard rather than assembled ad hoc.
One practical output is what we call an evidence pack: the mapped controls, documented policies, and monitoring records gathered in one place. That is the material an insurer's questionnaire asks for, and having it ready makes the application a straightforward reply instead of a scramble. If a claim ever arises, you can also show that the controls you attested to were genuinely in place. We start with a free, no-obligation assessment to see where you stand against these requirements, then scope a quote to your situation. To get started, reach us at info@itsultant.ca or (647) 809-2230.