Skip to main content
Itsultant logoItsultant

Guide

What Does Cyber Insurance Require From a Small Business in Canada?

The security controls underwriters now expect before they will quote a small business, why the bar went up, and how to get your answers ready.

What do cyber insurers actually require from a small business?

Cyber insurers now expect a defined set of security controls before they will quote or renew a small business: multi-factor authentication, endpoint detection and response, tested backups that are kept offline, regular patching, least-privilege access, staff security training, and a written incident response plan. These controls have moved from optional to expected. On most applications, missing controls mean a higher premium, a lower limit, a coverage exclusion, or a declined application.

The Insurance Bureau of Canada's Cyber Savvy insurance guide reflects most of this same core set. Drawing on Get Cyber Safe and the Canadian Centre for Cyber Security, it recommends multi-factor authentication for log-in protection beyond passwords, backing up critical data, keeping software and systems patched, limiting access to sensitive information, training employees, and creating a written incident response plan. The guide does not name endpoint detection and response among these proactive controls. It raises EDR only in its post-incident checklist, which we cover further down.

Each control on the list closes off a common way small businesses get breached, so the exercise is about real risk reduction rather than filling in a form. Underwriters ask about these controls because they have paid claims where a missing one was the difference between a minor incident and a business-ending one.

  • Multi-factor authentication (MFA) on email, remote access, and admin accounts.
  • Endpoint detection and response (EDR) on computers and servers.
  • Backups of critical data, tested and kept offline or otherwise isolated.
  • Regular patching of operating systems, applications, and firmware.
  • Least-privilege access so people can only reach what their role needs.
  • Security awareness training for all staff, including phishing.
  • A written incident response plan that names who does what.

Why have cyber insurance requirements tightened?

Requirements tightened because claims rose and insurers started pricing risk on the controls a business actually has in place. Ransomware, business email compromise, and data theft became common and expensive, so underwriters moved from a short questionnaire to a detailed one and began declining businesses that could not show basic protections.

The Canadian numbers show the pressure. According to Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime, 22 percent of Canadian businesses held cyber risk insurance in 2023, up from 16 percent in 2021, while only 26 percent had written cyber security policies, unchanged from 2021. About one in six businesses, 16 percent, were affected by a cyber security incident that year. Total spending to recover from incidents roughly doubled, from about 600 million dollars in 2021 to 1.2 billion dollars in 2023.

The severity at the individual level is what worries underwriters. The Insurance Bureau of Canada's Cyber Savvy guide states that a single data breach could cost a Canadian business as much as 7 million dollars, citing a 2025 IBM report. When a rare claim can be that large, insurers respond by requiring the controls that make a claim less likely and less severe, and by asking harder questions before they take the risk on.

What will the insurance application ask me?

Expect a detailed questionnaire, not a one-page form. According to the Insurance Bureau of Canada's Cyber Savvy guide, when you apply for cyber insurance you will likely have to complete an application insurers use to assess your risk and price the policy. It covers what personal and financial data you collect, your security controls, the technology you use for encryption and authentication, your antivirus and firewalls, and whether you provide security and privacy training to all staff.

The Insurance Bureau of Canada also points owners to its Cyber Insurance Assessment, a self-assessment questionnaire. IBC says the questions are similar to those you might see on a cyber insurance application, and describes the free tool as covering the cyber security protocols and best practices that most cyber insurers look for. IBC is candid that the free tool cannot provide an actual risk assessment, but it helps you gauge whether your business is a good candidate for coverage.

Your answers need to be true and documented. Insurers can and do check, and a claim can be disputed if the controls you attested to were not actually in place. Treat the application as a description of what you really run, not what you intend to set up later.

  • What personal and financial data you collect and store.
  • Your security measures for preventing access to IT systems and servers.
  • The technology you use for encryption and authentication.
  • Antivirus, anti-malware, and firewalls.
  • Whether all staff receive security and privacy training.

How do these requirements line up with recognized Canadian controls?

The controls insurers ask for map closely to the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations. That guidance targets organizations with fewer than roughly 500 employees and applies the 80/20 principle, aiming to achieve 80 percent of the benefit from 20 percent of the effort. If you follow the baseline, you are covering most of what an insurer will ask about.

The overlap is close to one-for-one. The Cyber Centre recommends two-factor authentication wherever possible, a written incident response plan that names who handles incidents, automatic patching for software and hardware, backups of essential systems stored encrypted and offline, security awareness training, security software that updates and scans automatically, and least-privilege access control. Those are the same items on an insurance questionnaire, described in a Canadian government framework rather than an underwriter's form.

This gives you a neutral, credible reference to build against. Rather than chasing one insurer's wording, you can implement a recognized baseline and then answer any insurer's questions from the same foundation. It also means the work you do for insurance doubles as genuine risk reduction rather than box-ticking.

  • Two-factor authentication wherever possible (BC.5).
  • Written incident response plan naming who handles incidents (BC.1).
  • Automatic patching for software and hardware (BC.2).
  • Backups of essential systems, stored encrypted and offline (BC.7).
  • Security awareness training (BC.6).
  • Enable security software that updates and scans automatically (BC.3).
  • Least-privilege access control (BC.12).

How do you prepare before you apply?

Prepare by putting the controls in place first, then gathering the evidence that proves they are working. The order matters. Turning on MFA the week before you apply is fine, but you will answer more confidently, and defend a future claim more easily, if the controls have been running and you can show it.

Work through the core set in a sensible order. Start with MFA on email, remote access, and administrator accounts, since account takeover is one of the most common entry points. Deploy EDR on every computer and server. Get backups tested and isolated so ransomware cannot reach them. Set patching to run automatically and confirm it is actually happening. Tighten access so staff only reach what their role needs. Run security awareness training so people can spot phishing. Write down an incident response plan that names who to call and what to do.

After an incident, some of the same controls come up again. The Insurance Bureau of Canada's Cyber Savvy guide includes a post-incident checklist that tells businesses to change passwords on compromised and related accounts, determine what data was affected, and incorporate advanced security measures such as endpoint detection and response and multi-factor authentication to manage employee access, then report the incident to their cyber insurer, the Canadian Centre for Cyber Security, and the Canadian Anti-Fraud Centre. Insurers commonly expect EDR up front, and its appearance in the guide's recovery steps shows it is treated as a serious measure, not an optional extra.

  • Enable MFA on email, remote access, and admin accounts.
  • Deploy EDR across all endpoints and servers.
  • Test your backups and keep at least one copy offline or isolated.
  • Automate patching and verify it is running.
  • Enforce least-privilege access and remove stale accounts.
  • Train all staff on phishing and safe handling of data.
  • Write and store an incident response plan people can find fast.

How does Itsultant help you meet these requirements?

Itsultant is a Canadian-owned IT consulting and cybersecurity firm that works with small and medium businesses and non-profits, and getting clients ready for cyber insurance is part of what we do. We put the controls insurers ask for into place, MFA, endpoint detection and response, tested and offline backups, patching, least-privilege access, staff training, and a written incident response plan, using open-source tools where they fit, such as Wazuh, OpenVAS, and Suricata, so you are not paying per-seat licence fees for the software itself.

We align the underlying security work to recognized frameworks, the CIS Controls and the NIST Cybersecurity Framework, and we map controls to Canadian privacy law, PIPEDA and Ontario's PHIPA where health information is involved. To be accurate about what that means: these are frameworks we align to, not certifications we hold. The value is that your controls are organized against a credible standard rather than assembled ad hoc.

One practical output is what we call an evidence pack: the mapped controls, documented policies, and monitoring records gathered in one place. That is the material an insurer's questionnaire asks for, and having it ready makes the application a straightforward reply instead of a scramble. If a claim ever arises, you can also show that the controls you attested to were genuinely in place. We start with a free, no-obligation assessment to see where you stand against these requirements, then scope a quote to your situation. To get started, reach us at info@itsultant.ca or (647) 809-2230.

FAQ

Common questions

Is multi-factor authentication required for cyber insurance in Canada?

In practice, yes for most policies. Multi-factor authentication is one of the controls insurers most consistently ask about, and many will not quote, or will apply exclusions and higher premiums, without it. The Insurance Bureau of Canada's Cyber Savvy guide lists MFA among the core controls it recommends, specifically for log-in protection beyond passwords. Priority accounts are email, remote access, and administrator logins, since those are the most common ways attackers get in. If you can only do one thing before applying, MFA on those accounts is usually it.

What is endpoint detection and response, and why do insurers want it?

Endpoint detection and response, or EDR, is software on your computers and servers that watches for malicious behaviour, alerts on it, and can help contain it, going beyond traditional antivirus that only matches known threats. Insurers want it because it catches ransomware and intrusions early, which limits the size of a claim. The Insurance Bureau of Canada's Cyber Savvy guide names EDR in its post-incident checklist, as an advanced measure to put in place after an attack. It does not list EDR among the proactive controls it recommends, but underwriters increasingly ask for it up front on applications.

Do I need a written incident response plan to get cyber insurance?

Usually yes, or at least you will be asked whether you have one. A written incident response plan sets out who is responsible, who to contact, and what steps to take when something goes wrong, so you are not improvising during a crisis. The Insurance Bureau of Canada's Cyber Savvy guide lists creating a written incident response plan among the controls it recommends, and the Canadian Centre for Cyber Security's baseline recommends a plan that names who handles incidents. It does not need to be long, but it needs to exist and be findable before you need it.

Will cyber insurance cover me if I did not have the controls I said I had?

It may not, which is why honest answers matter. Insurers price and issue policies based on the controls you attest to on the application, and a claim can be disputed if the protections you described were not actually in place. According to the Insurance Bureau of Canada's Cyber Savvy guide, the application asks detailed questions about your security controls, authentication, and staff training precisely to assess and price your risk. Put the controls in place and keep records that show they were running, rather than describing what you plan to set up later.

How much does a cyber breach cost a small business in Canada?

It varies widely, from minor cleanup costs to figures that can threaten the business. The Insurance Bureau of Canada's Cyber Savvy guide states that a single data breach could cost a Canadian business as much as 7 million dollars, citing a 2025 IBM report. At the national level, Statistics Canada reported that total spending to recover from cyber security incidents roughly doubled, from about 600 million dollars in 2021 to 1.2 billion dollars in 2023. The wide range is exactly why insurers now require preventive controls before they take on the risk.

Have a question about your setup?

Book a free assessment