Cyber Insurance Renewal Checklist for Canadian Businesses

Cyber insurance renewal is not just a paperwork exercise. For most Canadian small businesses, it is one of the few moments each year when someone actually reviews the company’s security posture — what controls are in place, what has changed, and whether the answers on the application still reflect reality.

Used well, renewal is a forcing function for security improvement. Used poorly, it is a box-checking exercise that leaves gaps between what you report and what is actually true — and those gaps can cost you when a claim is made.

This checklist covers the underwriting questions most Canadian cyber insurers now ask, what they are actually looking for, and how to prepare your evidence before your next renewal conversation.

Cyber insurance renewal checklist - Business team reviewing cyber security readiness dashboard with critical risk score before insurance renewal
Business team reviewing the best cyber insurance renewal checklist with critical risk factors on the Readiness AI dashboard for Canadian SMBs

Why renewal preparation matters more than it used to

Canadian cyber insurers have changed their underwriting significantly since 2020. What used to be a simple questionnaire has become a structured security assessment. Insurers are asking harder questions, requesting more detail, and in some cases sending third-party assessors to verify what applicants report.

At the same time, claims frequency has risen and policy wordings have tightened. Exclusions for inadequate security controls are now standard. If an insurer determines that a breach occurred because a claimed control was not actually in place, the claim can be denied — or reduced — on misrepresentation grounds.

The businesses that navigate renewal most successfully are the ones that can produce documented evidence of their controls — not just assertions.

Underwriting questions on your cyber insurance renewal checklist

While exact wording varies by insurer, most Canadian cyber insurance applications cover the following areas. For each, we have noted what insurers are actually looking for — not just the surface answer.

Multi-factor authentication (MFA)

What they ask: Is MFA enabled on email? On remote access (VPN/RDP)? On privileged/admin accounts?

What they want to see: MFA enforced — not just available — on all three. “Enforced” means users cannot bypass it. Insurers have seen too many claims where MFA was technically enabled but not required, and attackers simply bypassed it.

Renewal prep: Document which systems have MFA enforced, how enforcement is configured, and whether any exceptions exist. If you have exceptions (legacy systems, specific users), document the compensating controls.

Backup and recovery

What they ask: Do you maintain offline or immutable backups? Are they stored separately from primary systems? Have you tested restoration?

What they want to see: Backups that cannot be encrypted or deleted in a ransomware event. Cloud backups connected to the same environment as your primary data do not qualify. Insurers also want to know how recently you tested restoration — not just that you run backups.

Renewal prep: Document your backup frequency, storage location, isolation from primary systems, and the date of your last successful restoration test. If you have not tested restoration in the past 12 months, do it before renewal.

Endpoint detection and response (EDR)

What they ask: Do you use endpoint detection and response tools across your environment? Are they actively monitored?

What they want to see: EDR deployed on all managed endpoints — not just servers, but laptops and workstations. Basic antivirus is generally no longer sufficient for cyber insurance purposes. “Actively monitored” means someone is reviewing alerts — either in-house or via a managed security provider.

Renewal prep: Document which EDR tool is deployed, coverage across endpoints, and how alerts are monitored and acted on. If coverage has gaps (unmanaged devices, remote workers using personal machines), note this and the controls in place.

Privileged access management

What they ask: Are admin and privileged account credentials managed separately? Is the principle of least privilege applied?

What they want to see: Admin accounts that are not used for day-to-day activity, separated from regular user credentials, and protected with MFA. Shared admin passwords — common in smaller businesses — are a significant red flag.

Renewal prep: Review how admin accounts are managed. If you are using shared credentials or your admin accounts are the same as daily-use accounts, this is worth addressing before renewal.

Incident response plan

What they ask: Do you have a documented incident response plan? Has it been tested or exercised?

What they want to see: A written plan that identifies who does what in the event of a breach — who to notify, who makes decisions, who engages external support. It does not need to be elaborate. It does need to exist and be findable under pressure.

Renewal prep: If you do not have a documented plan, create one before your renewal date. At minimum, it should cover: how an incident is identified, who is the internal lead, which external resources are pre-engaged (insurer’s breach coach, legal, IT forensics), and what triggers mandatory notification under PIPEDA or provincial law.

Security awareness training

What they ask: Do employees receive security awareness training? How frequently? Do you run phishing simulations?

What they want to see: Documented training completed in the past 12 months by all staff with access to business systems. Phishing simulation results are a bonus — they provide concrete evidence of awareness levels and improvement over time.

Renewal prep: Pull training completion records before renewal. If training has not been run recently, schedule it. Document who completed it and when.

Vendor and third-party access

What they ask: Do third-party vendors have access to your systems or data? How is that access managed and monitored?

What they want to see: A defined process for granting, reviewing, and revoking vendor access. Many significant breaches originate through trusted third-party connections. Insurers want to know you have visibility into who can access your environment and that access is not left open indefinitely.

Renewal prep: Review your active vendor access list. Revoke access that is no longer needed. Document how new vendor access is granted and reviewed.

What has changed since your last renewal?

One of the most important questions to answer before renewal is: what has changed in your environment over the past year? Insurers ask this, and the answer affects your premium and coverage terms.

Changes that are material to your cyber risk profile include:

  • Staff growth — more users means more exposure and more endpoints to manage
  • New cloud services or SaaS platforms added to your stack
  • Remote work policy changes — more remote workers means more endpoints outside your network perimeter
  • New types of personal data collected or processed
  • Acquisitions or new business lines with different risk profiles
  • Security incidents or near-misses that occurred during the policy year

Failing to disclose material changes can affect your coverage. If in doubt, disclose and discuss with your broker.

How to produce verified evidence, not just assertions

The difference between a strong renewal submission and a weak one often comes down to evidence quality. Most businesses answer underwriting questions from memory or assumption. The strongest submissions are backed by documentation.

Verified security evidence can include:

  • MFA configuration screenshots or policy exports showing enforcement status
  • Backup logs showing frequency, storage location, and most recent restoration test
  • EDR dashboard export showing coverage across endpoints
  • Training completion records from your awareness platform
  • Incident response plan with last-reviewed date
  • Vendor access review log with last-reviewed date

This type of documentation does not guarantee a better rate or broader coverage. What it does is reduce the risk of surprises: surprises at claim time, surprises during insurer audits, and surprises when your broker tries to place your renewal in a harder market.

See your security posture before your next renewal

Readiness AI generates a verified security evidence report you can share with your broker or include with your next cyber insurance application or renewal.

Start Assessment

Frequently asked questions

How far in advance should I prepare for cyber insurance renewal?

Start at least 60 days before your renewal date. That gives you enough time to identify gaps in your controls, address the most significant ones, gather documentation, and have a substantive conversation with your broker before the underwriter receives your application. Waiting until the week before renewal leaves no time to fix anything — you are simply reporting whatever state your security is in.

What happens if my security controls are weaker than last year?

Disclose accurately. Attempting to conceal a deterioration in your security posture — staff reductions affecting security responsibilities, deprecated tools, lapsed training — creates misrepresentation risk that can result in denied claims. Your broker can help you navigate a weaker renewal position: presenting context, identifying compensating controls, or shopping the market for insurers whose underwriting criteria better match your current profile.

Can I negotiate coverage terms at renewal?

Yes — and the best time to negotiate is before the underwriter makes a decision, not after. If you can present documented evidence of strong controls at renewal, your broker has something concrete to work with in conversations with underwriters. Sub-limits on ransomware, retention amounts, and specific exclusions are all potentially negotiable when backed by credible security evidence.

Do I need a formal security assessment for renewal?

Not necessarily — but the bar for “credible evidence” is rising. Some insurers now request third-party assessments for higher-risk accounts or larger limits. For most small and mid-sized Canadian businesses, a documented internal review with supporting evidence is sufficient. The goal is to be able to substantiate your answers if asked.

What is a cyber insurance sub-limit?

A sub-limit is a cap on coverage for a specific type of loss that is lower than your overall policy limit. Ransomware payments, social engineering fraud, and system failure events are commonly subject to sub-limits. For example, a policy with a $1 million overall limit might have a $250,000 sub-limit on ransomware. Understanding your sub-limits before an incident — not during one — is essential to understanding your actual coverage.

How does my security posture affect my renewal premium?

Security posture is now one of the primary underwriting factors for cyber insurance in Canada. Businesses with demonstrated MFA enforcement, tested backups, and documented incident response plans present a more favourable risk profile than those that cannot confirm baseline controls. The relationship between stronger controls and premium levels is carrier-specific — it is not a guaranteed outcome — but stronger evidence of controls is the single most effective input you can bring to a renewal conversation.

Related Articles