Home Free Tools Cyber Insurance Readiness Scorecard
Free Tool · North Star

Cyber Insurance Readiness Scorecard

Ten questions, the same ones Canadian cyber insurers ask on renewal questionnaires. Answer honestly and you will know in two minutes whether your controls would pass underwriting, and exactly what to fix first.

Cyber insurance stopped being a form-filling exercise years ago. Canadian insurers now ask specific, verifiable questions about MFA, endpoint detection, backups, and training, and a wrong answer can mean a declined application, a stripped-down policy, or a denied claim after an incident. This scorecard covers the controls that appear on virtually every 2026 questionnaire, based on our guide to cyber insurance requirements.

How to answer: pick Yes only if the control is true across your whole environment, every user, every device. Pick Partially if it covers some but not all. If you are not sure, that usually means Partially or No, because an underwriter will ask for evidence.

Private by design. This runs in your browser. Nothing is sent or stored.

Question 1 of 10

Is MFA enforced on every email account?

Every mailbox in Microsoft 365 or Google Workspace, including shared mailboxes and executives. Enforced by policy, not left to each user to opt in.

Question 2 of 10

Is MFA enforced on all remote access and all admin accounts?

VPN, remote desktop, and every account with administrative privileges, including your IT provider's accounts. Insurers treat unprotected admin accounts as an automatic red flag.

Question 3 of 10

Is EDR deployed on every workstation and server?

Endpoint detection and response, not just traditional antivirus. Every laptop, desktop, and server, including that one machine in the shop nobody wants to touch.

Question 4 of 10

Do you keep an offline or immutable backup copy?

At least one backup copy that ransomware with admin credentials cannot encrypt or delete: immutable cloud storage, or media that is genuinely disconnected.

Question 5 of 10

Have you test-restored a backup in the last 6 months?

An actual restore of real data or a full system, with the result documented. A green checkmark in the backup software does not count as a test.

Question 6 of 10

Are security patches applied on a monthly or faster cadence?

Operating systems and major applications patched on a defined schedule, with critical vulnerabilities handled faster. "When someone remembers" is a No.

Question 7 of 10

Do all staff get security awareness training and phishing simulations?

Ongoing training plus simulated phishing emails, with completion tracked. A single lunch-and-learn two years ago does not qualify.

Question 8 of 10

Do you have a written incident response plan?

A documented plan that names who does what during an incident, with contact details, and that has been reviewed or walked through in the last year.

Question 9 of 10

Do you have centralised logging or 24/7 MDR monitoring?

Security logs collected in one place and reviewed, or a managed detection and response service watching your environment around the clock.

Question 10 of 10

Is your environment free of end-of-life software?

No operating systems or major applications past their support date in production: no Windows Server 2012, no Windows 10 without extended updates, no unsupported firewalls.

Your score
0 / 100
0 of 10 answered

Fix first: your No and Partially answers

    Before you fill in the real questionnaire: answering "yes" to a question that is not actually true across your environment is misrepresentation, and it is one of the most common reasons cyber claims get denied or policies get rescinded. If a control is partial, say so, or fix it first. Our guide to cyber insurance requirements explains what evidence underwriters expect for each answer.

    Closing the gaps

    How North Star closes each gap.

    Every control on this scorecard is a standard part of how we run client environments. Nothing here requires an enterprise budget; for a 5 to 200 user organisation, most gaps close in weeks.

    Questions 1 to 3

    MFA and EDR

    We enforce MFA through Entra ID conditional access, so it applies to everyone by policy, and deploy EDR to every endpoint through Intune with coverage reports to prove it. Both are included in our managed cybersecurity service.

    Questions 4 to 6

    Backups and patching

    Image-based backup with an immutable copy and verified restores on a schedule, plus automated monthly patching with an exception report for anything that slips. You get the restore logs and patch reports an underwriter will ask for.

    Questions 7 to 10

    Training, IR, and the paperwork

    Phishing simulation and tracked awareness training, a written incident response plan built for your organisation, MDR monitoring, and a plan to retire end-of-life systems. We also sit with you to complete the questionnaire itself, see our cyber insurance questionnaire support.

    FAQ

    Quick answers.

    Is this scorecard the same as a real cyber insurance questionnaire?

    No. It is a plain-language readiness check built around the controls that appear on most Canadian cyber insurance questionnaires in 2026. Real questionnaires are longer, more detailed, and legally binding. Use this scorecard to find your gaps before the real one lands on your desk.

    Does the scorecard send my answers anywhere?

    No. The scorecard runs entirely in your browser. Nothing is sent to a server, nothing is stored, and there is no account or email gate. Refresh the page and your answers are gone.

    What score do I need to get cyber insurance?

    There is no official pass mark, every insurer weighs controls differently. In practice, 80 or above means you would likely satisfy most Canadian underwriters. Between 50 and 75, expect higher premiums, sub-limits, or exclusions until the gaps close. Below 50, some insurers will decline outright.

    Can North Star fix the gaps the scorecard finds?

    Yes. MFA rollout, EDR deployment, immutable backups with verified restores, phishing simulation, patching, and incident response planning are all standard parts of North Star's managed cybersecurity service. We also help clients complete the actual questionnaire with evidence attached.

    Scored lower than you expected?

    Book a free 30-minute assessment with a North Star engineer. We will verify your answers against your actual environment, tell you which gaps matter most for your renewal, and give you a straight quote to close them.

    Get a Free Assessment Read the full guide