Cyber Insurance Questionnaire Canada: How to Prepare Before Submission

The cyber insurance questionnaire is the entry point for every Canadian commercial cyber policy. What you say in it — and how you back it up — determines whether you get coverage, what your premium looks like, and whether your insurer pays out if you have a claim.

This guide explains how to prepare for a Canadian cyber insurance questionnaire: what it’s actually asking, which questions carry the most underwriting weight, and how to back your answers with verified evidence.

What Is a Cyber Insurance Questionnaire?

A cyber insurance questionnaire (also called an application, intake form, or underwriting submission) is the document insurers use to assess your organization’s cyber risk before issuing a policy. It typically covers your security controls, technology environment, revenue, employee count, data handling practices, and incident history.

Most Canadian carriers use their own proprietary questionnaire format, though many have converged around similar structures since 2021. Brokers often help translate your controls into the insurer’s preferred format, but the underlying factual accuracy is your responsibility — and your liability if it’s wrong.

Why Your Questionnaire Answers Matter More Than You Think

Cyber insurance policies in Canada are underwritten on the basis of the information you provide in your application. If you represent that you have MFA deployed across all privileged accounts, and a breach occurs revealing you did not — your insurer may deny the claim citing material misrepresentation, regardless of how the breach happened.

This is not hypothetical. Canadian cyber insurers have disputed and denied claims specifically because post-incident forensics revealed that questionnaire responses were inaccurate. The mismatch between what applicants believe about their controls and what actually exists is one of the most common sources of coverage disputes.

The 8 Controls That Drive Underwriting Decisions

Across Canadian carriers, eight security controls consistently carry the most underwriting weight. Your responses to questions about these controls — and your ability to substantiate them — will determine your premium band and coverage terms.

1. Multi-Factor Authentication (MFA)

Almost every Canadian cyber questionnaire asks about MFA. The key questions are: Is MFA deployed on remote access (VPN, RDP)? On email? On privileged admin accounts? On cloud services? Insurers distinguish between partial MFA coverage and comprehensive MFA. Answering “yes” when MFA only covers one system creates misrepresentation risk. Prepare an MFA coverage inventory before answering.

2. Endpoint Detection and Response (EDR)

Insurers ask whether EDR is deployed, which product you use, and what percentage of endpoints are covered. Basic antivirus is no longer accepted by most carriers as equivalent to EDR. If you’re unsure whether your product qualifies, confirm with your broker before submitting. See the full EDR requirements guide for what Canadian insurers accept.

3. Backup and Recovery

Questions cover backup frequency, offsite or cloud storage, immutability (protection against ransomware encryption), and restore testing. Insurers want to know not just that you have backups, but that they work. Having backups that haven’t been tested is treated as a gap. See the backup verification requirements guide for what evidence to prepare.

4. Privileged Access Management

Insurers ask whether administrative accounts are separate from standard user accounts, whether privileged access is logged, and whether the number of admin accounts is minimized. Large numbers of admin accounts with no separation from daily-use accounts is a significant risk signal for underwriters.

5. Email Security

Questions cover DMARC, DKIM, and SPF configuration, as well as anti-phishing controls and email gateway filtering. Business email compromise (BEC) remains one of the most costly cyber insurance claim categories in Canada. Carriers look closely at email security controls as a result.

6. Patch Management

Insurers ask about patching cadence, whether critical patches are applied within a defined window (typically 30 days), and whether end-of-life software is in use. Running unsupported operating systems is a hard negative signal in most Canadian underwriting submissions.

7. Incident Response Planning

Questions ask whether you have a documented incident response plan (IRP), whether it has been tested, and who is responsible for executing it. Carriers don’t expect enterprise-grade IR programs from SMBs, but they do expect a documented plan with named contacts and a basic playbook for ransomware and data breach scenarios.

8. Security Awareness Training

Many questionnaires ask whether employees receive cybersecurity training, how frequently, and whether phishing simulations are conducted. Training evidence is lower-weight than the technical controls above, but it contributes to your overall risk profile.

How to Prepare for Your Questionnaire Submission

Preparation means verifying your controls before answering — not answering based on what you believe is in place. Here is a structured approach:

Step 1: Obtain the Questionnaire in Advance

Ask your broker to provide the carrier’s questionnaire before the renewal date. Most carriers allow the questionnaire to be obtained 60–90 days before renewal. Reviewing it early gives you time to identify gaps and produce evidence without deadline pressure.

Step 2: Conduct a Controls Verification

Walk through each of the eight control areas above and verify actual deployment status — not what you think is in place. Log into systems and confirm. Run coverage reports. Check that MFA is enabled for each account class, that EDR agents are active on all endpoints, and that backups have been tested recently.

Step 3: Document Your Findings

Create a controls summary document that records what you verified, when, and with what evidence. This serves two purposes: it supports accurate questionnaire completion, and it gives you a defensible record if a claim is ever disputed.

Step 4: Address Gaps Before Submitting

If your verification reveals gaps — partial MFA coverage, EDR missing from certain servers, untested backups — address them before submitting the questionnaire if possible. If a gap can’t be resolved before the submission deadline, disclose it honestly and explain the remediation plan. Undisclosed gaps are the primary source of claim denial in coverage disputes.

Step 5: Prepare Supporting Evidence

Some Canadian carriers now request supporting documentation alongside the questionnaire — particularly for policies above $1M. Even if your carrier doesn’t require it now, having evidence packaged and ready strengthens your broker’s submission and positions you favourably in the underwriting review. See what a complete cyber insurance evidence pack looks like for a Canadian SMB.

What the Questionnaire Doesn’t Capture

Questionnaires are self-reported. They capture what applicants believe is true — not what is verifiably true. This gap is well understood by insurers, which is why the industry has moved toward requiring evidence at higher coverage tiers and after claims events.

The practical implication for Canadian SMBs: even if your carrier doesn’t ask for documentation today, the accuracy of your responses remains your legal obligation. Treating the questionnaire as a documentation exercise — verifying controls and keeping records — protects you whether or not the insurer ever asks to see proof.

Frequently Asked Questions

What happens if I answer a questionnaire incorrectly?

If an inaccurate answer is discovered after a claim, the insurer may deny coverage under a material misrepresentation clause. The key word is “material” — the misrepresentation must relate to something that would have affected the insurer’s decision to issue the policy or set the premium. Incorrectly stating that you have EDR on all servers when you don’t would almost certainly be material. Incorrectly estimating your annual revenue by a small amount probably would not be.

Should my broker help me complete the questionnaire?

Yes — your broker should help you understand what each question is asking and how to translate your environment into the insurer’s terminology. However, the factual accuracy of your responses is your responsibility, not your broker’s. Don’t delegate the verification process — only the formatting and translation of your verified facts into the questionnaire format.

How long does a cyber insurance questionnaire take to complete?

The questionnaire itself typically takes 30–90 minutes to complete. But if you’re doing it properly — verifying controls before answering — the full preparation process takes 2–5 business days for a typical Canadian SMB. Factor this into your renewal timeline and start at least 60 days before your policy expiry.

Do all Canadian cyber insurers use the same questionnaire?

No. Each carrier has its own format, and questions vary in scope, depth, and terminology. However, the eight core control areas described in this guide appear in some form on every Canadian cyber questionnaire. If you’ve verified and documented your posture across those eight areas, you’re prepared for any carrier’s format.

For a complete overview of what Canadian insurers require across all controls — including how to verify and document each one — see the cyber insurance requirements guide for Canadian SMBs.

For the complete guide to cyber insurance requirements for Canadian small businesses, see the Small Business Cyber Insurance Requirements in Canada guide.

Once your questionnaire is complete and submitted, use the cyber insurance renewal checklist to track proof-of-controls documentation for your next renewal cycle.

To build verified, audit-ready evidence for your next submission, start your Readiness AI review.