Cyber insurance underwriters have hardened their requirements significantly since 2021. Getting coverage, or renewing at a reasonable premium, now requires demonstrating a set of specific technical controls. Businesses that cannot document these controls face higher premiums, reduced limits, or outright declines.
Most policies cover:
Exclusions are common for: acts of war, nation-state attacks (contested in courts), intentional acts by insiders, and, increasingly, ransom payments themselves.
These are the standard requirements on virtually every underwriter questionnaire:
If you cannot answer "yes" to the hard requirements, most underwriters will decline or restrict your coverage.
Most carriers have significantly reduced or excluded ransom payment coverage. This shift is partly regulatory (paying some ransomware groups may violate Canadian sanctions) and partly economic (ransom payments were growing faster than carriers could absorb).
Most policies still cover the broader costs of a ransomware event: incident response, forensics, legal, notifications, and business interruption during recovery. Read your policy carefully on this point and confirm the current position with your broker annually, this area is changing quickly.
For a typical Canadian SMB with solid controls in place:
Premiums vary significantly by industry (healthcare, legal, and finance pay more), controls maturity, prior claims history, and the specific underwriter.
The questionnaire is not just a purchasing formality, it is a binding representation. Misrepresenting your controls can void your coverage at the worst possible time.
North Star conducts a pre-application controls review to identify gaps, remediate them, and document your posture accurately before you submit.
What is the single most important control for cyber insurance? MFA. It is the gating requirement on nearly every questionnaire. No MFA on email and remote access means no coverage from most underwriters.
Does my business need cyber insurance? Any business that stores client data, processes payments, or would face financial hardship from a ransomware recovery should carry cyber insurance. Most Canadian SMBs with more than 10 employees are underinsured.
Can I get cyber insurance without EDR? Not from most reputable underwriters in 2026. EDR on all endpoints is a hard requirement, not a "nice to have."
How often should I review my cyber policy? Annually at minimum, before renewal. Also review when you make significant changes to your environment (new cloud systems, new locations, new remote work policies).
Can North Star IT help me meet the controls? Yes. North Star deploys MFA, EDR, immutable backup, security awareness training, and incident response documentation that satisfies the standard cyber insurance questionnaire.
Not sure if your controls would pass underwriting today? Call 672-983-1174 or book a free cyber controls review at northstarit.ca.
Quick answers.
What does cyber insurance cover?
Most policies cover incident response, forensics, legal, regulatory notification, business interruption, ransomware, and third-party liability. Coverage limits and exclusions vary widely.
What controls does cyber insurance require?
Underwriters now require MFA on email and remote access, EDR on every endpoint, immutable backups, security awareness training, and a documented incident response plan.
Will cyber insurance cover ransom payments?
Most carriers have reduced or excluded ransom payment coverage. Most still cover the broader incident response and business interruption costs of a ransomware event.
How much does cyber insurance cost?
For a typical Canadian SMB, premiums run between 2,000 and 10,000 dollars per year for one to two million dollars in coverage. Premiums depend on controls in place, industry, and prior claims.
Can Northstar IT help me meet the controls?
Yes. North Star deploys MFA, EDR, immutable backup, training, and incident response programs that satisfy the standard cyber insurance questionnaire.
Have a specific situation in mind?
Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.
Get a Free Assessment More guides