Free resource • Updated June 2026
The Canadian SMB Cyber-Insurance Compliance Checklist
A 30-item self-assessment covering the controls Canadian cyber-insurance carriers — Coalition, Beazley, CFC, Travelers Canada, Chubb, and surplus-lines markets — ask about during 2026 renewal. Answer Yes / Partial / No for each. Be honest. Then check your score against the tier guide.
Category 1 — Identity and access (5 items)
- Multi-factor authentication enforced on all user accounts, including administrators and service accounts
- MFA uses number-matching or hardware key (not just push-approval) to defeat MFA-bombing attacks
- Administrator accounts are separate from daily-driver accounts (admins have two accounts each)
- Conditional Access policies block legacy authentication protocols (POP, IMAP, basic auth)
- Departing employees are offboarded within 24 hours — access fully revoked across all systems
Category 2 — Endpoint protection (3 items)
- Managed EDR is deployed on 100% of laptops, desktops, and servers — not just basic antivirus
- EDR is monitored 24/7 by an external or internal Security Operations Centre
- Full-disk encryption is enabled on all laptops and mobile devices
Category 3 — Backup and recovery (4 items)
- Backups follow the 3-2-1 rule — three copies, two media types, one off-site
- At least one backup copy is immutable, air-gapped, or cloud-stored with retention lock
- M365 or Google Workspace data is backed up by a third-party service (not Microsoft's native retention)
- A documented restore test has been performed in the last 90 days with successful outcome
Category 4 — Patching and vulnerability management (3 items)
- A patch management system tracks every endpoint and reports patch compliance
- Critical software security updates are installed within 30 days of vendor release
- External-facing systems are scanned for vulnerabilities at least quarterly
Category 5 — Email and web security (3 items)
- Email authentication (DMARC, SPF, DKIM) is configured and enforced on your domain
- Advanced anti-phishing protection enabled (Defender for Office 365, Mimecast, or equivalent)
- External email auto-forwarding from individual mailboxes is disabled
Category 6 — Awareness and training (3 items)
- All employees complete cybersecurity awareness training annually
- New hires complete training within 30 days of start date
- Phishing simulation is conducted at least quarterly with measured click-rate trend
Category 7 — Incident response (3 items)
- A written incident response plan exists, with named responder + external IR firm + broker contacts
- The IR plan has been tested via tabletop exercise in the last 12 months
- Audit logging is enabled across critical systems with at least 1-year retention
Category 8 — Asset and vendor management (3 items)
- Current inventory of all hardware assets and authorized software, reviewed quarterly
- Third-party service provider relationships documented and reviewed annually
- Vendor banking-change requests require verbal verification before action — no exceptions
Category 9 — Network and infrastructure (3 items)
- Network is segmented (guest Wi-Fi separated, sensitive systems on isolated VLANs)
- Remote access (VPN, RDP) requires MFA and is monitored
- Firewall firmware is current and configuration is reviewed at least annually
Scoring
Count your Yes answers (Partial = ½ a Yes). Find your tier below.
You're in the minority of Canadian SMBs who can credibly answer the 2026 questionnaire. Renewal should be smooth.
You'd likely pass underwriting but with conditions — higher premium, sub-limits, or specific exclusions. Most gaps fixable in 30–60 days.
Material gaps. Expect significant premium increases, coverage restrictions, or non-renewal. Action needed within 90 days.
Renewal is in serious doubt. A breach today would likely not be covered. Treat as a business-critical issue.
If you have to start somewhere
Address gaps in this order — these five together cover roughly 80% of the underwriting weight carriers apply:
- MFA on every account (1.1) — highest-leverage 30 minutes you'll ever spend
- Managed EDR deployment (2.1) — replaces antivirus with 24/7 monitored protection
- Tested immutable backups (3.2 + 3.4) — without this, ransomware coverage is at risk
- Written incident response plan (7.1) — the document carriers explicitly require
- Monthly phishing simulation (6.3) — measurable improvement signal for underwriters
Want the formal version of this analysis?
The Cyber Insurance Readiness Assessment($2,500 fixed-fee, ~2 weeks) gives you a written gap analysis verified through technical evidence, mapped to your carrier's actual questionnaire, with a prioritized remediation roadmap and cost estimate.