When clients come to us for a Cyber Insurance Readiness Assessment, one of the things we ask for early in the engagement is a copy of their current cyber-insurance policy. We do this because the gap between what the business thinks the policy covers and what the policy actually requires and excludes is wide and growing.
Five specific changes to standard 2026 Canadian cyber-insurance policy language are worth knowing about. If you have a policy in force, find the document and read along — most of these are easy to verify in under an hour. If you don't have a policy, this article is approximately what your broker will be selling you next year.
1. Mandatory minimum security controls as a condition of coverage
Older policies (2020 and earlier) treated security controls as part of the underwriting question — Do you have MFA? Yes / No — used to set the premium but not to determine claims. If you said yes when you applied and later experienced a breach involving credentials, the carrier paid the claim.
Modern policies treat minimum controls as a condition of coverage. Specifically, your policy may now state that coverage applies only if certain controls were in place at the time of the incident. If your MFA enforcement lapsed for a week — perhaps because someone temporarily turned it off for a difficult user — and a breach happened during that window, coverage may be denied.
How to check: Search your policy for the phrase “minimum security standards,” “security controls warranty,” or “conditions precedent to coverage.” Read what's required, and verify each item is actually in continuous effect at your business.
2. Ransomware sub-limits
Cyber-insurance policies are typically written with one large overall limit (say $1M aggregate) and then various smaller sub-limits for specific coverage areas. Ransomware coverage used to be either covered at the full policy limit or excluded entirely.
In 2026, the most common pattern is a separate, lower sub-limit specifically for ransomware — often 10-25% of the overall policy limit. So a $1M policy might have a $100k-$250k ransomware sub-limit. This sub-limit covers the ransom payment, the recovery costs, the business interruption, and the legal/notification expenses combined. For most actual ransomware incidents, the sub-limit is well below the total cost.
How to check: Look for a coverage limits schedule, typically in the first 1-3 pages of the policy. Find the line item for "Cyber Extortion" or "Ransomware." Compare that number to the overall policy limit.
3. Backup-architecture conditions
Closely related to ransomware coverage: many 2026 policies now require specific backup architectures as a condition of paying ransomware claims. Specifically, the policy may require that you maintain immutable or air-gapped backups, that the backups are tested at defined intervals, and that the testing is documented.
If a ransomware incident occurs and you cannot produce evidence of a successful restore test within the policy's required window (typically 90-180 days), the carrier may reduce or deny the claim on the grounds that you failed to maintain adequate backup posture — even if the backups themselves were actually fine.
How to check: Search your policy for “backup,” “immutable,” “air-gapped,” or “restore test.” The relevant language is usually in a "Conditions" or "Definitions" section.
4. Specific incident-response firm requirements
The 2026 standard is that cyber-insurance policies include a panel of approved IR firms and require that you engage one of them during a covered incident. If you call your own preferred IR firm (or, more commonly, try to handle it internally), the policy may pay only for what an approved panel firm would have charged — leaving you with the difference.
Some policies go further and require pre-incident coordination with the panel firm. Practically, this means you're expected to have a written IR plan that names the panel firm and includes its contact information before an incident occurs.
How to check: Look for "Panel," "Approved Incident Response Vendor," or "Coverage Counsel" in the policy. Note who's on the list, their contact information, and the process for engaging them at 3 AM on a Sunday.
5. Social-engineering and business email compromise carve-outs
Business Email Compromise (BEC) — the supplier-banking-change fraud, the CEO impersonation, the bookkeeper tricked into wiring funds — is now the most common and most expensive category of cyber loss for Canadian SMBs. It is also, increasingly, carved out of standard cyber coverage.
Many 2026 policies treat BEC and other social-engineering losses as a separate sub-coverage requiring its own premium and its own sub-limit. Some policies require specific verification procedures (a written verbal-verification policy) as a condition of any social-engineering claim.
The shift is structural: BEC is a financial fraud problem, not a technical-breach problem, and carriers are increasingly treating it accordingly.
How to check: Look for "Social Engineering," "Funds Transfer Fraud," "Business Email Compromise," or "Fraudulent Instruction" in the coverage schedule. Check the sub-limit. Check whether there are conditions on the coverage.
What to do this week
If you have an active cyber-insurance policy:
- Find the document. Whatever drawer or shared folder you keep insurance documents in.
- Read it for an hour. Specifically, find the conditions, sub-limits, and exclusions for each of the five items above.
- Make a list of every gap between what you have and what the policy requires.
- Bring the list to your broker and ask whether your current posture would actually trigger a payout for each scenario in scope.
If your broker can answer those questions specifically and credibly, you have a good broker. If the answer is “we'd need to see the specifics at claim time,” that's the signal to start interviewing other brokers — or to engage a formal readiness assessment that gives you a document the next broker can work from.
If you don't have an active cyber-insurance policy and are planning to get one, all five items above will affect what you can buy, how much it will cost, and what it will actually cover. Going in with the answers prepared is the difference between a successful renewal and an expensive one.
How we help
Our Cyber Insurance Readiness Assessment ($2,500 fixed-fee) is built around verifying your posture against the conditions in modern 2026 carrier policies. We map your controls to specific policy language, identify the gaps that could affect claim outcomes, and provide a remediation roadmap. If you also engage us for managed services afterward, the assessment fee credits against your first three months of retainer.
Either way, the conversation we want is the one before renewal, not the one during a claim.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →