What Is Cyber Control Evidence — And Why Your Insurer Doesn’t Trust Your Answers Anymore

The question Canadian SMBs are asking about cyber insurance is the wrong question.

They are asking: do we have the right controls? MFA — yes. Backups — yes. Endpoint protection — yes. The checklist says yes. The broker submits the application. The renewal goes through.

The question that actually determines your risk profile — and increasingly, your coverage terms, your premiums, and whether a claim is honoured — is different: can you prove it?

Cyber control evidence is the documentation that answers that second question. It is not the security itself. It is the record of the security — the screenshots, configurations, logs, test results, and policy documents that make your controls visible to an insurer, a broker, an enterprise client, or a regulator.

Most Canadian SMBs have decent controls and almost no evidence. That gap is the problem Readiness AI exists to solve.

Why “We Have That” Is No Longer Enough

Until 2020, the cyber insurance industry largely ran on trust. Businesses self-reported their security posture on a questionnaire. Underwriters accepted those answers. Premiums were low, coverage was broad, and nobody looked too closely.

Then claims volume exploded. Ransomware, business email compromise, and data breach incidents surged. Insurers found, repeatedly, that the controls businesses said they had were either absent, partially deployed, or not functioning as described. Loss ratios in cyber went above 70% in 2021. Insurers responded — not just with premium increases, but with a fundamental shift in how they underwrite.

Self-attestation gave way to evidence requests. “Do you have MFA?” became “Show us your MFA enforcement policy and a screenshot confirming legacy authentication is disabled.” The questionnaire became the starting point, not the finishing line.

This shift is ongoing. Evidence expectations have been rising year over year, and businesses that are not maintaining documentation are facing supplemental questionnaires, adverse terms, and renewal friction that their well-documented competitors are not experiencing.

What Cyber Control Evidence Is — and What It Is Not

Cyber control evidence is not a security audit. It is not a penetration test. It is not a certification.

It is the organized collection of documentation that demonstrates the current state of your security controls to a third party. It is practical, specific, and producible from your existing tools without external consultants.

Good cyber control evidence is:

• Specific — it shows a particular control in a particular configuration, not a general statement that something exists
• Current — it is dated, showing the state of your environment at a recent point in time
• Verifiable — it comes from a system of record (a console, a log, a report) rather than a word-processed document claiming something is true
• Organized — it is structured by control category so a broker or underwriter can find what they need without asking again

Weak or absent cyber control evidence looks like:

• A signed declaration stating “we use MFA” with no supporting screenshot
• A backup policy document with no corresponding logs or restore test records
• A vendor invoice showing an EDR product was purchased, with no deployment report
• An incident response plan dated 2019 that has never been tested or updated
• Nothing at all, with the intention of assembling it “when we need it”

The Six Control Categories Where Evidence Gaps Matter Most

Cyber insurance underwriting focuses on a relatively stable set of control categories. The evidence requirements for each category have become more specific over time.

1. Identity and Access (MFA)

MFA must be enforced — not just available — on email, privileged admin accounts, cloud platforms, and remote access. Evidence: screenshots of conditional access policies or MFA enforcement settings, confirmation that legacy authentication protocols are disabled. The gap most commonly seen: MFA enabled for most users but not enforced for service accounts or legacy integrations.

2. Endpoint Detection and Response (EDR)

EDR is now the expected standard, replacing traditional antivirus on insurer checklists. Evidence: deployment report showing EDR coverage across all endpoints, confirmation of central management and alerting. The gap: EDR installed on servers and company laptops but not on employee-owned devices used for work, or no central management console showing coverage percentage.

3. Backup and Recovery

The standard has moved from “we have backups” to documented isolation, immutability, and tested recovery. Evidence: backup configuration screenshots, offsite/air-gap confirmation, restore test record with date and result. The gap: backups exist but are on the same network segment as production, have never been restore-tested, or lack immutability settings.

4. Email Authentication (DMARC/DKIM/SPF)

Email authentication has been added to underwriting checklists as business email compromise claims have risen. Evidence: DNS record screenshots showing SPF, DKIM, and DMARC at p=reject or p=quarantine. The gap: DMARC is missing or set to p=none, meaning no enforcement is in place despite an assumption that email security exists.

5. Patch and Vulnerability Management

Insurers want to see that known vulnerabilities are addressed on a defined schedule, and that end-of-life software is either absent or managed with compensating controls. Evidence: patch status report, patching policy, confirmation no end-of-life OS or software is in use without mitigation. The gap: patching happens informally, no records are kept, and end-of-life Windows versions persist on specific machines.

6. Incident Response Planning

A written, current incident response plan (IRP) is a baseline expectation. Increasingly, underwriters ask whether it has been tested. Evidence: IRP document with a recent review date, tabletop exercise record if available. The gap: an IRP was drafted years ago, has not been updated, and has never been exercised by the actual team responsible for responding.

Where Cyber Control Evidence Is Used

Insurance renewal is the most common trigger, but it is not the only one. Canadian SMBs are increasingly asked for evidence of their security posture in three distinct contexts:

Cyber insurance underwriting and renewal — The primary use case. Brokers and underwriters use evidence packages to assess risk, set terms, and validate application answers. A well-organized submission shortens the underwriting timeline and supports more favourable terms.

Client security reviews and vendor questionnaires — Enterprise clients, regulated institutions, and government procurement processes are increasingly asking their SMB suppliers to demonstrate security posture. A vendor security questionnaire is essentially a request for evidence. Businesses that can respond quickly and credibly win deals that businesses without documentation lose.

Regulatory and compliance context — PIPEDA and provincial privacy legislation create breach notification and due-diligence obligations. Demonstrating that a business had appropriate controls in place at the time of an incident is relevant to regulatory response and potential liability. Evidence supports the position that the business acted reasonably.

The Practical Problem: Evidence Doesn’t Organize Itself

The gap between having controls and having evidence is not a technical problem. It is an organizational one.

Every control your business has generates evidence somewhere — in your Microsoft 365 admin console, your EDR dashboard, your backup platform, your DNS records, your IT provider’s documentation. The problem is that this evidence is scattered across systems, owned by different people, and never assembled into a coherent package until a renewal deadline or a client request forces it.

At that point, the assembly happens under pressure. Screenshots are taken in a hurry. The IT provider is asked for documentation with a 48-hour deadline. Something is missing. The application goes in with gaps. The underwriter comes back with questions. The renewal timeline stretches. Terms are less favourable than they should be.

The businesses that handle this well are not the ones with better security. They are the ones with better documentation habits — an ongoing practice of capturing and organizing evidence so that it exists when it is needed.

How Readiness AI Approaches This

Readiness AI is built specifically for Canadian SMBs who have reasonable security controls but lack the organized evidence to demonstrate them when it matters.

The platform structures your evidence by control category — identity, endpoint, backup, email authentication, patching, incident response — and guides you through the specific documentation each category requires. Evidence is maintained as a living record rather than assembled under deadline pressure.

When a renewal arrives, or when a client sends a vendor security questionnaire, your evidence is ready. Your broker gets a submission they can work with. Your client gets a response that demonstrates maturity. You do not spend two weeks chasing your IT provider for screenshots.

Readiness AI does not assess your security posture, conduct audits, or tell you what controls to buy. It helps you document and organize the controls you already have in a way that holds up when someone asks for proof.

Start your Readiness Review to see what your current evidence looks like across all six control categories. Or view a sample evidence pack to see what a complete, organized submission contains.

---

Readiness AI helps Canadian SMBs organize cyber readiness evidence for insurance renewal, client security reviews, and compliance workflows. It does not provide insurance advice, legal advice, or a guarantee of coverage. Businesses should work with a qualified cyber insurance broker for advice specific to their situation.

Frequently Asked Questions

What is cyber control evidence?

Cyber control evidence is the documentation that demonstrates the state of your security controls to a third party — an insurer, a broker, a client, or a regulator. It includes screenshots of configurations, deployment reports, backup logs, restore test records, policy documents, and other verifiable records organized by control category. It is distinct from the security itself: having a control and having evidence of a control are two different things.

Why do cyber insurers ask for evidence rather than just questionnaire answers?

After a period of high claims volume driven by ransomware and business email compromise, Canadian cyber insurers found that self-reported answers on applications frequently did not reflect actual security posture. Controls that businesses said they had were absent, partially deployed, or misconfigured. Underwriters responded by requesting documentary evidence to validate application answers — particularly for MFA, EDR, backups, and email authentication.

How is cyber control evidence different from a security audit?

A security audit is an independent assessment of your security posture, typically conducted by a third-party firm. It is expensive, time-consuming, and produces a formal report. Cyber control evidence is not an audit — it is a documentation practice. It is assembled from your own systems and tools, organized by your team or with support from a platform like Readiness AI, and submitted to insurers, clients, or brokers as needed. Most SMBs do not need a formal audit; they need their existing controls documented.

Can I produce cyber control evidence without hiring a consultant?

Yes. The documentation that makes up a cyber control evidence package comes from your existing tools — your email and identity platform, your EDR console, your backup solution, your DNS records. It does not require external expertise to produce, though it does require someone with admin access to each system and an understanding of what screenshots and reports to capture. Readiness AI guides this process for Canadian SMBs without requiring a security consultant.