Free tool · Cyber insurance

Cyber insurance readiness assessment: a free 2-minute self-check

Cyber insurers now require specific security controls before they'll cover you — and can cut a claim if those controls weren't in place. This free 2-minute self-check gauges your organization against what Canadian insurers ask for. Think of it as a readiness assessment you can run before your broker sends the real questionnaire. Answer honestly: nothing is saved, sent, or tracked — it all runs in your browser.

This self-check is provided for information only and is not insurance advice or a guarantee of eligibility.

What insurers check for

Ten controls that decide your coverage

  • Multi-factor authentication (MFA) everywhere — email, remote access and admin accounts
  • Modern endpoint protection (EDR/XDR) on every device
  • Immutable or offline backups, with a tested restore
  • A documented, tested incident-response plan
  • Email authentication — SPF, DKIM and DMARC — and advanced filtering
  • Patch and vulnerability management on a defined schedule
  • Security-awareness training and simulated phishing
  • Privileged access management (separate admin accounts, least privilege)
  • Secured remote access — no RDP exposed to the internet
  • Around-the-clock detection and response (monitoring or MDR/SOC)

The self-check scores out of 20 across three bands: high risk, insurable with conditions, and strong posture.

For the reasoning behind each control, see the full breakdown of what insurers require.

Gaps to close? We put the controls insurers require in place: Microsoft 365 security and MFA, managed detection & response (MDR), an incident-response plan, security-awareness training, and vulnerability management. Insurer asking for testing evidence? See our pen testing in the Outaouais.

Frequently asked

Cyber insurance: what to know

Do we need MFA to get or renew cyber insurance?

In practice, yes. Missing MFA is by far the most common reason cyber-insurance applications get declined — many insurers won't even quote without MFA on email and remote access. And if you attest to MFA on the application but it isn't actually in place when an incident happens, the insurer can reduce or deny the claim. If MFA is missing, it's usually the first gap to close before you apply or renew.

What security controls do cyber insurers require in Canada?

Most Canadian insurers benchmark against the NIST CSF or CIS Controls. The most common requirements are MFA everywhere (email, remote access, admin accounts), EDR/XDR endpoint protection, immutable and tested backups, a tested incident-response plan, email authentication (SPF, DKIM, DMARC), patch management, and security-awareness training.

Why was my cyber-insurance application declined?

Missing MFA is by far the most common reason — many insurers won't even quote without MFA on email and remote access. Lacking EDR, or immutable and tested backups, is another frequent cause of declines and surcharges.

Can an insurer deny a cyber claim?

Yes. If you attested to a control (for example MFA) on the application and it wasn't actually in place at the time of the incident, the insurer can reduce or deny the claim. That's why controls need to be not only present but consistent and provable.

How can IT Sincennes help?

We close the gaps insurers check — MFA and Microsoft 365 security, EDR/MDR, backups and incident response, email hardening and training — then document the evidence you need for your application or renewal.

Ready to become insurable — at the best rate?

Talk to a Canadian-owned firm, in English or French. We close the gaps insurers check and document your evidence.

Get in touch