The first cyber-insurance renewal is almost never the painful one. Year one is usually a fast-tracked binding with a short questionnaire and a carrier that wants to get your business on the books. The second renewal is the one where the conversation changes.
Twelve months in, the carrier has seen your account. They have run your business through their loss-experience model. The questionnaire that arrives the second time is longer, more specific, and the underwriter expects to see evidence behind every "yes" you provided last year. The phrases that worked the first time around — "we plan to deploy that this year," "we are in the process of rolling that out" — get tested.
This is the article I wish every business owner read 90 days before their year-two renewal date. It walks through what carriers actually do at the second renewal, the controls that get audited most aggressively, what an honest year-over-year delta looks like, and how to document it without scrambling.
What changes between year one and year two
Year-one carriers are buying the application. Year-two carriers are buying the evidence. The shift looks like this in practice.
- The questionnaire grows from roughly 15 to 25 questions in year one to 30 to 50 in year two. Coalition, Beazley, CFC, and Travelers Canada all follow this pattern.
- Free-text answers from year one ("we are working on MFA rollout") generate targeted year-two follow-ups ("provide screenshots from your identity console showing MFA enforcement coverage").
- Broker behaviour changes. The broker who placed your first policy on a phone call now sends a pre-renewal call invite and a checklist. That is not a sales tactic — that is the broker protecting their book of business by making sure you do not show up to the carrier with a "no" you forgot to fix.
- Loss-experience underwriting kicks in. Even if you had no incidents, your carrier looks at your industry, geography, and seat count against their claim data. Northern Alberta SMBs in oilpatch services and trucking now generate enough claim history that carriers price the region accordingly.
The good news: a clean, honest year-two renewal usually results in either flat or improved premium. Industry data suggests carriers in 2026 commonly applied premium movement in the range of negative 10 percent to positive 25 percent at renewal, with the direction determined more by attestation accuracy than by underlying risk score.
The seven controls carriers audit most aggressively at year two
These are the controls where "we are working on it" no longer works.
1. Multi-factor authentication coverage. Year one: did you have MFA? Year two: prove it covers 100 percent of accounts including service accounts, prove it is phishing-resistant for administrators, and provide an identity-console screenshot showing enforcement.
2. EDR deployment percentage. Year one: do you have EDR? Year two: what is your endpoint coverage percentage, who is the SOC, and what was the mean-time-to-respond on alerts in the past 12 months? A "we deployed it last quarter" answer prompts a follow-up requesting the agent coverage report.
3. Backup immutability and restore evidence. Year one: are backups offsite? Year two: are they immutable, and have you performed a documented restore test in the past 12 months? Carriers will ask for the date of the last successful test. If you cannot provide it, the answer is treated as "no."
4. Security awareness training and phishing simulation. Year one: do staff complete training? Year two: completion percentage by department, phishing-simulation click rate trend, and a screenshot from the training platform showing the past four quarters of activity.
5. Patch management evidence. Year one: do you patch? Year two: what is the time-to-patch SLA, what tool tracks it, and what is current compliance against the SLA across endpoints and servers? Vague answers get downgraded to "no."
6. Incident response plan with named contacts. Year one: do you have a plan? Year two: when was it last updated, when was the last tabletop, who is on the call list, and have you pre-engaged an external IR firm? Carriers increasingly want the IR firm relationship documented before binding.
7. Privileged access controls. Year one: do users have admin rights? Year two: what is the count of privileged accounts, when were they last reviewed, are they protected with hardware MFA, and is there a session-recording or just-in-time mechanism in place? Even Mackenzie County small businesses now see this question.
What an honest year-over-year delta looks like
A defensible year-two renewal generally shows movement on three to five of these controls. Not all seven. Carriers are realistic — they know a 30-person sawmill, ag operation, or trucking firm in northern Alberta is not running an enterprise security team. What they want to see is a credible direction of travel.
A realistic and well-received delta might look like:
- MFA coverage moved from 80 percent to 100 percent including all administrators
- EDR moved from antivirus-plus-one-EDR-trial to fully deployed managed EDR with documented SOC coverage
- Backup architecture added an immutable copy and a documented restore test
- Awareness training cadence moved from annual to quarterly with phishing simulation
- Patch management moved from "Windows Update" to a documented RMM-driven process
Five wins of that quality at renewal typically result in flat to slightly favourable premium movement at a tightening market, or genuine premium reduction in a softening market. The reverse — flat or backwards movement on those controls — typically results in premium increases in the 15 to 30 percent range plus added sub-limits on ransomware coverage.
How to document it without panicking
The single most useful thing you can do at year two is build an evidence binder before the questionnaire arrives. Not after. Before.
A working evidence binder for a 30-person SMB contains roughly the following, gathered as PDFs, screenshots, or short policy documents:
- Identity console export showing MFA enforcement
- EDR console screenshot showing agent coverage percentage and SOC contract page
- Backup platform report showing schedule, immutability flag, last successful restore test date
- Training platform report showing completion percentage and phishing-simulation trend
- RMM patch compliance report by endpoint
- Written incident response plan with named internal and external contacts
- Privileged account inventory and last-review date
Built ahead of the renewal, this binder converts a stressful 30-day scramble into a 90-minute meeting with your broker. Built after the questionnaire arrives, the same binder takes three weeks of weeknight work while the renewal clock runs.
The honest pitch
Most of the SMBs we work with in northern Alberta hit their year-two renewal somewhere between October and March. If yours is one of those, this is the right month to start the binder. Carriers reward preparation. They penalize scrambling. The premium delta between a well-prepared and a poorly-prepared year-two renewal on the same underlying risk is typically larger than the cost of the preparation itself.
If you want a second set of eyes on the questionnaire before you submit, that is exactly the engagement the $2,500 Cyber Insurance Readiness Assessment is designed for. Two weeks, fixed fee, written gap analysis mapped to your carrier's actual questionnaire, with a prioritized remediation roadmap. Most clients see the assessment fee recovered in the first renewal cycle through premium savings alone.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →