Every Canadian cyber-insurance application I've reviewed in the past twelve months — Coalition, Beazley, CFC, Travelers Canada, Chubb Canada, Acera, and the surplus-lines markets behind them — converges on the same ten questions. The wording varies. The substance does not.
Here are the ten questions, what each one is really asking under the surface, what carriers do with a "yes" versus a "no" answer, and what an honest "yes" actually requires.
If you can answer yes to nine or ten of these, your 2026 renewal will go well. If you can answer yes to fewer than six, you should not be surprised by either a premium increase, a coverage restriction, or a non-renewal.
Question 1 — Multi-factor authentication
"Is multi-factor authentication required for all employee access to email and remote networks?"
What they're really asking: Are credentials, by themselves, sufficient for an attacker to access your environment? Or do they need to also compromise a second factor?
Honest "yes" requires: MFA enforced for 100% of users (not "most" — all), including administrators, including service accounts where technically feasible, on every cloud application your business uses (not just email), including for VPN or remote-desktop access.
Carrier response: A "yes" with documented enforcement is the baseline expectation. A "no" makes you ineligible at many carriers entirely; at others it pushes you into surplus-lines pricing.
Question 2 — Endpoint detection and response
"Do you have managed endpoint detection and response (EDR) deployed on all servers, workstations, and laptops?"
What they're really asking: Do you have a security tool that actively watches behaviour on every machine — not just signature-based antivirus — and is someone watching the alerts around the clock?
Honest "yes" requires: A modern EDR product (Huntress, SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, or equivalent) deployed on every endpoint and server, with 24/7 monitored alerting either internally or via a managed security service provider (MSSP). Basic antivirus does not count. EDR without 24/7 monitoring barely counts.
Carrier response: "Yes" is increasingly the baseline expectation, with major carriers requiring it as of 2025. "No" results in significantly higher premiums plus sub-limits on ransomware coverage.
Question 3 — Backup architecture and testing
"Are backups immutable or air-gapped, and have you successfully tested restore in the last twelve months?"
What they're really asking: If your primary environment is encrypted by ransomware tonight, can you recover without paying the ransom? And do you actually know that, or are you guessing?
Honest "yes" requires: The 3-2-1 rule (three copies, two media types, one off-site) plus an immutable or air-gapped copy that cannot be encrypted by ransomware that has admin credentials, plus documented evidence of a successful restore in the past twelve months. The "tested" word is what fails most assessments.
Carrier response: Ransomware coverage frequently sub-limits, excludes, or is denied entirely when backups are not architecturally protected and tested. This is the control that most affects ransomware claim outcomes.
Question 4 — Security awareness training and phishing simulation
"Do all employees complete annual cybersecurity awareness training, including phishing simulation?"
What they're really asking: When a phishing email arrives in an employee's inbox, are they likely to click it, or report it?
Honest "yes" requires: Annual training completion documented for 100% of staff (including new hires within 30 days of start), plus regular phishing simulation — many carriers now expect monthly cadence with measured click-rate trend over time, not just annual training as a check-box exercise.
Carrier response: "Yes" is increasingly required as of 2025. A "no" doesn't always knock out coverage, but does increase premium and often comes with policy conditions requiring training to be implemented within 90 days of binding.
Question 5 — Incident response plan
"Do you have a written incident response plan, and do you have a relationship with an external incident response firm?"
What they're really asking: If something happens at 2:00 AM on a Saturday, do you have a plan, named responders, phone numbers to call, and a firm on retainer that can be on the case within hours?
Honest "yes" requires: A written IR plan (not verbal) that names internal responders, an external IR firm relationship, your insurance broker's hotline, your cyber-policy's IR firm panel, and a defined process for first 24 hours. Annual tabletop exercise is increasingly expected.
Carrier response: Many policies now require pre-approved IR firms before they'll cover IR costs. A "no" can result in significantly more out-of-pocket IR cost during an incident, even when coverage applies.
Question 6 — Patch management
"Are critical software security updates installed within 30 days of release on every machine?"
What they're really asking: When a vendor publishes a critical security patch, does it get applied to your environment within a defined timeframe, or does it sit on a "we'll get to it" list until something exploits it?
Honest "yes" requires: A patch management process — not "we let Windows Update do its thing" — that tracks every endpoint, reports on patch compliance, and ensures critical CVEs are deployed within 7–30 days depending on severity. Documented reports from a patch management system (Atera, NinjaOne, Intune, etc.).
Carrier response: Vague answers here ("we install updates regularly") are increasingly being treated as a "no" by underwriters. Specific evidence is expected.
Question 7 — Privileged access management
"Are administrator accounts separated from standard daily-driver accounts, and are admin accounts protected with additional safeguards?"
What they're really asking: If an attacker phishes a standard employee, can that account elevate to admin privileges easily? Or are admin rights restricted, separated, and additionally protected?
Honest "yes" requires: Standard users do not have admin rights to their workstations. Administrators have separate admin accounts with additional MFA protection (often FIDO2 hardware keys for the most sensitive). Privileged account inventory exists and is reviewed quarterly.
Carrier response: "No" results in higher premiums and sometimes specific exclusions for incidents where lateral movement via excessive privileges contributed to the breach.
Question 8 — Asset and software inventory
"Do you maintain an inventory of all hardware assets and authorized software running on your network?"
What they're really asking: Do you know what's on your network? Or could there be unauthorized devices, end-of-life software, or rogue installations that nobody is managing?
Honest "yes" requires: A documented inventory of every endpoint, server, network device, and SaaS application in use. Maintained continuously (not a six-month-old spreadsheet). Reviewed at least quarterly.
Carrier response: "No" or "we have a spreadsheet somewhere" is treated as a soft "no" by most underwriters. Often results in coverage conditions requiring inventory to be established within 90 days.
Question 9 — Prior incidents and claims
"In the past three years, has your business experienced a security incident, data breach, ransomware event, or filed a cyber-insurance claim?"
What they're really asking: Are you carrying unresolved damage from a prior incident? Are you a repeat target? Does the question's definition include things you didn't report?
Honest "yes" requires: Honest disclosure of any incident meeting the policy's definition — and the definition is often broader than "we got hit by ransomware." Some carriers define "security incident" as broadly as "any unauthorized access to systems," which can include a phishing email an employee almost-clicked-but-didn't.
Carrier response: This is the highest-stakes question on the application. Misrepresentation here voids your coverage, even years later, when an incident occurs. Always disclose. Always consult counsel if uncertain about whether a past event qualifies.
Question 10 — Use of a managed security service provider
"Does your business engage a third-party managed security service provider (MSSP) or managed detection and response (MDR) provider?"
What they're really asking: Is someone watching your security posture full-time — not just your IT person between other tasks — or are you on your own?
Honest "yes" requires: A documented relationship with an MSSP / MDR provider that includes some combination of: 24/7 SOC monitoring, managed EDR, vulnerability management, patch oversight, and incident response support.
Carrier response: "Yes" often qualifies for a premium discount of 10–25%, sometimes more for higher-touch providers. Carriers correctly assume that MSSP-supported businesses file fewer and smaller claims.
Putting it together
Your 2026 cyber-insurance renewal is a function of how many of these ten questions you can credibly answer "yes" to, with evidence to support each answer. The questionnaires are getting longer (often 25–40 pages), the evidence requests are getting more specific (vendor names, version numbers, log retention dates), and the underwriter's tolerance for vague answers is getting lower every year.
The good news: every "no" on this list is fixable. The fixes are mostly affordable, and they tend to pay for themselves through reduced premiums plus reduced real-world risk. The bad news: you can't fix all ten in the two weeks before renewal. Most fixes need 30–90 days to implement and demonstrate.
The earlier you start, the better your renewal goes.
What to do this week
Three actions:
- Find your current cyber-insurance policy. Read the application or renewal questionnaire from last year. See what you actually answered. Estimate how many of these ten questions you could honestly answer "yes" to today.
- Take our free Security Risk Report. Five minutes, ten questions roughly aligned with carrier questionnaires.
- If your renewal is within six months and you're nervous about the answers, that's exactly when the Cyber Insurance Readiness Assessment ($2,500, two weeks) pays for itself — typically through premium savings at renewal that exceed the assessment fee in the first year alone.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →