Cyber Insurance Questionnaire 2026 | North Star
HomeInsightsCompliance

How to Pass Your Cyber Insurance Questionnaire in 2026

Cyber insurance questionnaires have changed. Five years ago, they were checkbox exercises that insurers used to document that they'd asked. In 2026, they are underwriting filters: weak answers mean a higher premium, a lower coverage limit, or no quote at all. If your renewal is coming up, here is what underwriters are actually asking and what you need to demonstrate.

Why North Star

Why Questionnaires Got Harder

Cyber claim frequency and severity climbed sharply between 2021 and 2025. Ransomware claims drove loss ratios above 100% at several carriers. The industry response was to tighten underwriting and price risk more accurately. The questionnaire is now the primary tool for that assessment.

Some carriers now require external scans of your attack surface alongside the questionnaire. Others verify questionnaire answers against independent security ratings services. "We have MFA" on a form that contradicts what a scan shows is a material misrepresentation, claims consequences aside, it's a legal problem.

Overview

The Controls Underwriters Consistently Prioritise

Multi-Factor Authentication

The number one question on most questionnaires: do you have MFA on all administrative access and all remote access? The word "all" is doing heavy work here.

If your admins log into the firewall, the backup console, or the cloud management portal with only a username and password, the answer is no. Partial MFA coverage, "most users" or "our M365 but not our RMM", will be scored as incomplete. Fix this before you submit the questionnaire, not as a response to a bad quote.

Tested, Offline or Immutable Backups

"We have backups" is not the answer underwriters want. They want to know:

  • That you have tested restores with documented results
  • That at least one backup copy is immutable or air-gapped (see our 3-2-1-1-0 backup post)
  • That the retention period is long enough to cover the detection window for ransomware (30 days minimum; 90 days preferred)
  • That the backup system uses credentials and access controls separate from the primary environment

Endpoint Detection and Response (EDR)

EDR on every device, laptops, desktops, and servers, is now standard underwriting language. Not antivirus. EDR.

Coverage percentage matters. If EDR is on 95% of endpoints but the bookkeeper's home laptop is exempt, underwriters typically count that as not fully covered. They're asking about coverage, not intent.

Documented Incident Response Plan

Carriers want a written IR plan with named contacts and an identified external IR partner. The plan doesn't need to be long, a one-page response procedure with phone numbers is more useful than a 50-page binder nobody reads. What they're assessing is: when an incident occurs, does this business know what to do in the first hour?

Security Awareness Training and Phishing Simulation

Annual training plus regular phishing simulation testing. "Regular" means quarterly at minimum. The training should be documented, completion rates, dates, and topics covered. Vendors that provide this include KnowBe4, Proofpoint, and Microsoft Defender's Attack Simulation Training (included in some M365 plans).

Overview

How to Triage Before Renewal

Four weeks before your renewal date:

  1. MFA audit, list every system that has remote or admin access. Confirm MFA status for each.
  2. Backup verification, run and document a restore test. Confirm immutable retention is in place.
  3. EDR coverage report, pull a report from your EDR platform showing enrolled vs. active endpoints.
  4. IR plan review, confirm your plan is current and the named contacts are still in role.
  5. Training records, pull completion records for the last 12 months.

If any of these reveal gaps, fix them before your questionnaire submission, not after. Some carriers allow mid-term updates to the questionnaire; most do not.

Frequently Asked Questions

Can an MSP fill out the questionnaire on our behalf? Your MSP can help you accurately answer questions about your IT environment, that's appropriate. The questionnaire should reflect your actual controls, verified by someone who has checked. Guessing or copying answers from a previous year without verifying is a claims risk.

What happens if we answer honestly and the answer is "no" on some controls? You may get a higher premium or a policy with exclusions for controls you don't have. That's better than a claim denial for material misrepresentation. Use the gap as a prioritised remediation roadmap.

Talk to a Prince George-based IT team about cyber insurance readiness, call 672-983-1174 or book a free assessment at northstarit.ca.

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights

Frequently asked questions

Why is the cyber insurance questionnaire getting harder to pass?

Rising ransomware attacks globally have forced insurance providers to change their behaviour. Insurers now require objective proof of proactive defence mechanisms like MFA, dark web monitoring, and immutable backups to lower their risk exposure for businesses in regions like Alberta, BC, and the Yukon. Without these, your firm is considered a high liability.

Do I need EDR to pass a cyber insurance audit in 2026?

Yes, most modern insurers now mandate Endpoint Detection and Response (EDR) as a baseline requirement. EDR provides real-time monitoring and automated response capabilities that traditional antivirus software lacks. Demonstrating that you have active EDR on all workstations and servers makes your business a significantly lower risk for underwriters.

What role does MFA play in insurance eligibility?

Multi-Factor Authentication is currently non-negotiable for most 2026 policies. You must prove it is active on all remote access points, administrative accounts, and cloud email logins to qualify for competitive premiums. If MFA is not enforced across your entire organization, you risk immediate denial of your insurance application.

Can North Star help me fill out my insurance form?

We provide comprehensive technical assessments that align directly with questionnaire requirements. Our team helps you implement and document the necessary security controls, such as security awareness training and networking infrastructure upgrades, to ensure your answers are accurate and verifiable during an audit by the insurance provider.

Are small businesses in BC and Alberta targets for cyber attacks?

Absolutely. Firms in smaller centres like Smithers, Terrace, or Williams Lake are often targeted because attackers assume they lack robust defences. Insurers recognize this trend and apply the same rigorous standards to small businesses as they do to mid-market firms, requiring a high level of cybersecurity maturity regardless of location.