Cyber Insurance Controls Checklist: What Canadian Businesses Must Have
Listen to this article
A cyber insurance controls checklist is a structured list of security measures that Canadian businesses must have in place to qualify for cyber insurance coverage. Insurers evaluate your security posture using a detailed questionnaire, and this checklist helps you identify gaps, document your controls, and present a credible application.
What Is a Cyber Insurance Controls Checklist?
A cyber insurance controls checklist is a tool that maps your organization’s security practices against the specific requirements Canadian insurers use during underwriting. It covers technical controls like MFA and EDR, administrative controls like incident response plans, and operational controls like backup testing. Using a checklist before applying helps you spot deficiencies before an underwriter does.
Why Do Insurers Require a Controls Checklist?
The Canadian cyber insurance market has tightened significantly since 2020. Insurers are no longer accepting self-reported answers without scrutiny. Underwriters now cross-reference application responses against known incident patterns and increasingly request supporting documentation. A controls checklist helps you approach this process systematically rather than reactively.
Core Cyber Insurance Controls Checklist for Canadian Businesses
1. Multi-Factor Authentication (MFA)
MFA is the single most critical control on every Canadian insurer’s checklist. It must be enabled on all email accounts, cloud applications, VPN and remote access connections, and privileged administrative accounts. Insurers will ask specifically whether MFA is enforced everywhere — not just on a subset of accounts.
2. Endpoint Detection and Response (EDR)
EDR tools that monitor endpoint activity in real time are now a baseline requirement. Traditional antivirus is not sufficient. EDR must be deployed across all endpoints — workstations, laptops, and servers. Insurers ask for the name of the EDR solution and confirm that it is actively managed.
3. Verified and Tested Backups
Daily backups of critical data stored in an offsite or air-gapped environment, with documented restore tests completed at least quarterly. Insurers specifically ask whether backups have been tested and when the last test occurred. Untested backups are not considered adequate.
4. Patch Management
Critical security patches applied within 30 days of release, with a documented process for tracking patch status. End-of-life operating systems with no security updates are a common cause of adverse underwriting decisions or outright denial.
5. Incident Response Plan
A written incident response plan that identifies roles, escalation procedures, and communication protocols. Even a basic documented plan demonstrates to insurers that your organization will respond to a breach in a structured, damage-limiting way.
6. Security Awareness Training
Regular employee security training with records of completion, plus simulated phishing exercises. Phishing remains the most common initial attack vector, and insurers increasingly ask for evidence that employees are trained to recognize and report threats.
7. Email Authentication (SPF, DKIM, DMARC)
Email authentication records help prevent domain spoofing and business email compromise. Insurers use the presence or absence of these records as a signal of how seriously your organization takes email security hygiene.
How to Document Your Controls for Insurers
Having controls in place is necessary but not sufficient — you must be able to prove it. Gather screenshots of MFA configuration settings, EDR deployment dashboards, backup logs showing recent successful tests, patch management reports, and copies of your incident response plan. Organized evidence speeds up underwriting and strengthens your negotiating position on premiums.
Frequently Asked Questions
What controls do cyber insurers require in Canada?
Canadian cyber insurers most commonly require multi-factor authentication (MFA) on all accounts, endpoint detection and response (EDR) software, tested and offsite backups, a patch management process, and a written incident response plan. Email authentication records (SPF, DKIM, DMARC) and security awareness training are also standard requirements.
What is the most important control for getting cyber insurance?
Multi-factor authentication (MFA) is the single most important control for cyber insurance approval in Canada. It is the most frequently cited reason for denial when absent, and the most impactful single change a business can make to improve its insurability.
Do small businesses need to meet the same controls checklist as large businesses?
Yes. Canadian insurers apply essentially the same core controls requirements to small businesses as to larger organizations. The controls required — MFA, EDR, backups, patch management, incident response — are the same regardless of company size.