Insights · Cyber-insurance

What cyber insurers require: the controls you need

Your insurer's questionnaire is really a security audit. Here's what underwriters check, why applications get declined, and how to walk in ready.

Why did cyber insurers get so demanding?

If your broker just sent you a cyber-insurance questionnaire, you've probably noticed it reads less like an insurance form and more like a security audit. Pages of yes-or-no questions about multi-factor authentication, endpoint detection, backup immutability, incident-response testing. Not long ago, cyber coverage was a line item added to a commercial policy with barely a question asked. That era is over.

What changed is the claims. Ransomware turned cyber into an expensive line of business, and underwriters responded the way underwriters do: by pricing the risk they can actually measure. Most Canadian insurers now benchmark applicants against recognized frameworks like the NIST Cybersecurity Framework or the CIS Controls, and the questionnaire is how they find out where you stand.

The consequences are concrete. Missing MFA is by far the most common reason an application gets declined — many insurers won't even quote a business without MFA on email and remote access. No EDR on your computers, or backups that aren't immutable and tested, are other frequent causes of declines and premium surcharges. The questionnaire isn't a formality; it decides whether you get covered, and at what price.

Identity comes first: MFA, admin accounts and remote access

Underwriters start with identity because attackers do. Most breaches that hit small and mid-sized businesses begin with a phishing email, a reused password or an account nobody protected with MFA — not with some sophisticated exploit. So the first block of questions asks whether MFA is on everywhere: email, remote access and administrator accounts. "Everywhere" is the operative word. The executive who found MFA annoying and got an exception is exactly the account an attacker will find too.

Close behind come the questions about privileged access. Insurers want to see separate admin accounts and least-privilege access, so that one stolen everyday password doesn't hand over the whole environment. They also want remote access locked down: no RDP exposed directly to the internet, ever. An open RDP port remains one of the classic ways ransomware gets in.

The good news for Microsoft 365 shops is that much of this is already included in licences you're likely paying for. MFA and Entra ID conditional access come with common business plans; they need to be configured and enforced, not purchased. For many SMBs, becoming insurable on the identity front is a configuration project, not a new spend.

Could you survive a ransomware hit? EDR, backups, monitoring

The second theme running through every questionnaire is resilience: if ransomware lands, will this business recover, or will it file a painful claim? Three controls carry that section. First, modern endpoint protection — EDR or XDR — on every device. Underwriters name EDR specifically because it detects and blocks malicious behaviour instead of just scanning files. And "every device" includes the laptop forgotten in a drawer.

Second, backups the attacker can't reach. That means immutable or offline copies that can't be encrypted or deleted even by someone holding admin credentials, and a restore you have actually tested. A backup you've never restored is a hope, not a control, and insurers have learned to ask about the test, not just the backup.

Third, someone watching. Questionnaires increasingly ask about around-the-clock detection and response — monitoring, MDR or a SOC. For an SMB, that doesn't mean hiring a night shift. A managed detection and response service covers it; ours runs on a managed SOC platform built on Microsoft Sentinel and Defender, with a certified architect investigating what it flags. What the insurer wants is a real answer to "who notices, and who acts?" at three in the morning.

The quieter requirements: email, patching, training, a plan

Beyond the headliners, four controls fill out the rest of the form. Email authentication — SPF, DKIM and DMARC, backed by decent filtering — cuts spoofed and fraudulent mail. It costs little to set up correctly, and a blank answer looks bad, because email is still the top attack vector.

Patch and vulnerability management needs a defined schedule. "When we get around to it" is not a schedule, and an underwriter can tell the difference between a documented cadence and a good intention. Regular vulnerability scanning between deeper assessments shows the process actually runs.

Security-awareness training has to be ongoing, with simulated phishing and reports to show for it. A video watched once doesn't convince anyone; the insurer wants evidence that training happened this year, that people participated, and that click rates are tracked.

That leaves the incident-response plan — documented and put to the test. "Tested" usually means a tabletop exercise: your decision-makers walking through a ransomware scenario before it's real. Insurers increasingly require this readiness, because an organization that has rehearsed contains the incident faster and costs less to make whole.

What insurers actually check when you file a claim

Here's the part too many businesses learn after the fact: the application is an attestation, not a marketing survey. If you declared that MFA was in place and the investigation after an incident shows it wasn't — or that it covered head office but not the warehouse — the insurer can reduce or deny the claim. The controls have to be not only present but consistent and provable, at the moment the incident happens.

That should change how you answer the questionnaire. "Mostly deployed" is a no. "We bought the licence" is a no. If a control is partial, say so, take the surcharge or the exclusion, and fix it. An honest answer costs you something at renewal; a false one costs you the claim, right when you need it most.

It also means keeping evidence. Exported MFA and conditional-access policies, a Secure Score trend, training-participation reports, dated restore tests, a penetration-test report with its retest — that file does double duty for insurers, auditors and your clients' security questionnaires.

Law 25 asks for much the same: prepare once, before renewal

For Quebec businesses, a second authority takes an interest in the same controls. Law 25, phased in between September 2022 and September 2024, requires you to protect personal information with reasonable security measures, keep a register of confidentiality incidents, and notify the Commission d'accès à l'information when an incident presents a risk of serious injury. Penalties run up to $25 million or 4% of worldwide turnover on the penal side, and $10 million or 2% for administrative sanctions.

The overlap works in your favour. MFA, EDR, tested backups, awareness training and an incident-response plan satisfy your underwriter and demonstrate diligence to the regulator at the same time. Put the controls in place once, and the same evidence file serves both.

So before renewal: start when the questionnaire arrives, not the night it's due. Take honest stock of where you stand — our free two-minute self-check scores you against the ten controls insurers ask about, right in your browser, with nothing saved or sent. If MFA is incomplete, fix that first; it's the answer that most decides whether you get a quote at all. Then build the evidence file so your answers hold up. And if you'd rather hand the gap-closing and the documentation to an architect — the person who does the work, not a call centre — that's exactly what we do.

To see where you stand right now, take our cyber-insurance readiness self-check. And if the questionnaire names controls you're missing, our Microsoft 365 security and backup & disaster recovery pages explain how we put them in place.

FAQ

Frequently asked questions

Do we need MFA to get or renew cyber insurance?

In practice, yes. Missing MFA is by far the most common reason applications are declined, and many insurers won't even quote a business without MFA on email and remote access. Underwriters also expect it on administrator accounts. If you run Microsoft 365, the capability is usually already in your licence — it needs to be turned on and enforced for everyone, without exceptions.

What controls do cyber insurers require in Canada?

Most Canadian insurers benchmark against the NIST Cybersecurity Framework or the CIS Controls. The recurring requirements: MFA everywhere, EDR/XDR endpoint protection, immutable and tested backups, email authentication (SPF, DKIM, DMARC), patch and vulnerability management, security-awareness training, a documented and tested incident-response plan, privileged-access management, secured remote access with no exposed RDP, and ongoing monitoring or MDR.

Can an insurer deny a claim over a missing control?

Yes. If you attested to a control on the application — MFA is the classic example — and it wasn't actually in place at the time of the incident, the insurer can reduce or deny the claim. That's why controls need to be present, consistent and provable, not just planned. Answer the questionnaire honestly and keep dated evidence of each control.

Do the same controls help with Quebec's Law 25?

Largely, yes. Law 25 requires reasonable security measures over personal information, a register of confidentiality incidents, and notification when an incident poses a risk of serious injury. MFA, EDR, tested backups, training and an incident-response plan support both the insurer's questionnaire and your Law 25 diligence, so the work — and the documentation — does double duty.

Is a penetration test required for cyber insurance?

Not universally, but more and more insurers require documented security controls, and some ask for a penetration test to issue or renew a policy. Even when it isn't required, a pen-test report with a retest of the fixes is strong evidence for the questionnaire, and it answers your clients' security reviews at the same time.

Continue reading

Could you answer the questionnaire today?

Take our free 2-minute self-check — the ten controls insurers verify, with a score and clear next steps.