A short story to start
A 30-employee logging operation in northwest Alberta — let's call them Wapiti Timber — had been with the same insurance broker for fifteen years. Comprehensive general liability, property, commercial auto. When the broker brought up cyber coverage in 2024, the owner waved it off. "We're a logging company. Who would want our data?"
In April 2026, a phishing email landed in the bookkeeper's inbox. Two days later, the entire office was locked down by ransomware. Payroll couldn't run, fuel orders couldn't be placed, invoices couldn't be sent. The crews were idle for eleven days.
The cost of those eleven days plus recovery was about $340,000. Their general liability policy covered exactly none of it. They didn't have cyber.
Their renewal application that fall? Twenty-three pages of questions. Premium quoted: ten times what it would have cost in 2024, if they'd been able to find a carrier willing to write the policy at all. Eventually they were placed in the surplus-lines market — the insurance equivalent of subprime credit.
This story isn't fictional in the abstract. It happens every week in Canada now.
What changed
In 2020, you could get a million-dollar cyber policy for a 30-employee business for about $1,200 a year. The application was four pages. Almost nobody read it carefully.
By 2026, the same coverage costs $4,500 to $9,000 a year — if you qualify. The application is twenty to forty pages. Every answer is treated as a sworn statement. A misrepresentation, even an innocent one, can void your coverage at the exact moment you need it most.
What drove the change is simple: between 2021 and 2025, carriers paid out more in ransomware claims than they collected in premiums. They lost a lot of money. They responded the way insurance companies always do — by raising prices, tightening underwriting, and demanding evidence of better security controls before they'd take the risk.
The result is that cyber insurance is now an underwriting product, not a commodity product. Carriers don't want everyone. They want the businesses with strong controls, and they're willing to pay you (through lower premiums) for proving you're one of them.
What your carrier is asking in 2026
If you've been through a renewal recently, you've seen the questionnaire grow. Here are the top ten questions you'll be asked this year, what they really mean, and why the answer matters.
1. "Do you enforce multi-factor authentication (MFA) on all email and remote access?"
If your answer is anything other than a confident "yes, on every account, no exceptions, including admin accounts," your premium goes up and your ransomware coverage may be sublimited.
2. "Do you have managed Endpoint Detection and Response (EDR) deployed on all endpoints?"
Note the word managed. Antivirus is no longer acceptable. EDR — products like Huntress, SentinelOne, CrowdStrike — needs to be deployed on every laptop, desktop, and server, and there needs to be someone watching it around the clock.
3. "Are your backups immutable, air-gapped, or cloud-stored with retention lock, and tested in the last twelve months?"
The word tested is what fails most businesses. Having backups is necessary but not sufficient. If you can't show evidence of a successful restore in the past year, your carrier treats your backups as if they don't exist.
4. "Do all employees receive annual security awareness training, including phishing simulation?"
Annual training is the minimum. Many carriers now expect monthly phishing simulation with measured improvement in click-rates over time.
5. "Do you have a written incident response plan and a named external IR firm?"
A plan that lives in someone's head doesn't count. The plan needs to be written, name names, list phone numbers, and identify an external firm you've already contracted with (or have on retainer).
6. "Do you patch critical vulnerabilities within thirty days?"
This is where most small businesses are unknowingly out of compliance. If you can't produce a patch report from a real patch-management system, you can't honestly answer "yes."
7. "Are administrator accounts separated from daily-driver accounts?"
Your bookkeeper's login should not have admin rights to your file server. Your IT person should have two accounts — a standard one for email and Teams, and an admin one used only for admin work.
8. "Do you have an asset and software inventory?"
You can't protect what you don't know exists. A spreadsheet your bookkeeper updated three years ago doesn't count.
9. "Have you had a security incident or insurance claim in the last three years?"
This is a knockout question for some carriers. Honesty is mandatory — misrepresentation here voids coverage. But the question is broader than you think: a malware infection your IT person quietly cleaned up is a "security incident" by most carrier definitions.
10. "Do you engage a managed security service provider?"
A "yes" answer here often comes with a 10-25% premium discount. Carriers know that businesses with dedicated security partners file fewer and smaller claims.
What "good" looks like in 2026
If you can confidently answer "yes" to nine or ten of those questions, you're in a small minority of Canadian SMBs and your renewal will be a pleasure. If you can answer "yes" to five or fewer, you're going to have a hard conversation with your broker in the next twelve months.
The good news: every "no" on that list has a fix. The fixes are mostly affordable, and they almost always pay for themselves through reduced premiums plus reduced risk. The bad news: the fixes take time to implement. You can't game your way to "yes" the week before renewal — carriers verify.
Where to start
The first step is honest self-assessment. We've built a free five-minute Security Risk Report that walks you through these questions and tells you where you stand. If you score in the green tier, congratulations — you have a strong story to tell your broker, and we can help you capture it in a formal report. If you score in the amber or red tier, you have work to do, and it's better to know now than to find out at renewal.
Either way, the deeper Cyber Insurance Readiness Assessment ($2,500 fixed-fee, two-week turnaround) gives you a written gap analysis mapped to the actual questions your carrier is asking, a prioritized 30/60/90-day remediation roadmap, and a cost estimate. It's the document you take to your broker when you want to argue for a lower premium.
The story of Wapiti Timber doesn't have to be your story. But the time to act is now — not the week before your renewal date.
Peace Country Cyber is northern Alberta's local cybersecurity partner. We help businesses in Mackenzie County and the broader Peace River region stay safe online and stay insured. Get on our early list →