(416) 512-1208Free IT Assessment

Home / Cybersecurity / Cyber Insurance

For Canadian SMBs

Cyber insurance, decoded.

What coverage actually means, what Canadian brokers and carriers require, and how to qualify — even if you've been declined before.

Step 1

Verify your broker is licensed in your province

Cyber insurance in Canada is sold by licensed insurance brokers. Always verify before signing anything.

Ontario

FSRA — Financial Services Regulatory Authority of Ontario

fsrao.ca · 1-800-668-0128

Québec

AMF — Autorité des marchés financiers

lautorite.qc.ca · 1-877-525-0337

British Columbia

BCFSA — BC Financial Services Authority

bcfsa.ca · 1-866-206-3030

Alberta, Saskatchewan, Manitoba, Atlantic Canada

IBC — Insurance Bureau of Canada

ibc.ca can direct you to the right provincial regulator.

Step 2

Understand the coverage types

Cyber policies are not standardized. Read the actual policy form, not the marketing brochure.

First-Party Losses

Costs YOU incur directly: forensic investigation, data restoration, business interruption, ransom payment (where legal).

Third-Party Liability

Costs from claims by others: customer lawsuits, regulatory fines (where insurable), privacy breach claims.

Incident Response Costs

IR firm, legal counsel, breach notification, credit monitoring for affected individuals, public relations.

Business Interruption

Lost revenue and continuing expenses (payroll, rent) while systems are down or operations are halted.

Cyber Extortion / Ransomware

Ransom payment, negotiation, and recovery costs. Often with sub-limits (e.g., $1M of a $5M aggregate).

Reputation Harm

PR firm and communications costs to manage brand damage. Less commonly included — check your policy.

Step 3

What carriers want to see (the technical controls)

If you cannot answer "yes" to most of these, expect higher premiums, lower limits, or a decline. The good news: we deploy all of these as managed services.

1Multi-factor authentication (MFA) on all email, VPN, and admin accounts
2Endpoint Detection & Response (EDR) on all endpoints (not just legacy antivirus)
3Verified, immutable, offsite backups with documented Recovery Time and Point Objectives
4Email security with DMARC, DKIM, and SPF enforcement + phishing-resistant filtering
5Patch management SLA (e.g., critical patches within 14 days)
6Security awareness training with annual phishing simulation
7Documented incident response plan with annual tabletop exercise
8Privileged Access Management (PAM) or at minimum, named admin accounts (no shared)
9Network segmentation between corporate, guest, and OT/POS networks
10Annual vulnerability scan + penetration test for internet-facing systems
Step 4

The 15 questions every carrier will ask

Be ready with the answers. The more prepared you are, the better your quote will be.

  1. 1Do you use MFA on all email, VPN, and admin accounts?
  2. 2What EDR product is deployed on all endpoints? Is it centrally managed?
  3. 3How frequently are backups performed? When were they last tested for restore?
  4. 4Are backups immutable or air-gapped (so ransomware cannot reach them)?
  5. 5Do you have a written Incident Response plan? When was it last tested?
  6. 6How many employees completed security awareness training in the last 12 months?
  7. 7What is your patch management SLA for critical vulnerabilities?
  8. 8Do you have email security (DMARC enforced)? What is your click-rate on phishing simulations?
  9. 9Do you store or process personal information covered by PIPEDA? Provincial privacy laws?
  10. 10What is your annual revenue and the largest concentration of customer PII you hold?
  11. 11Have you experienced a cyber incident or claim in the last 5 years?
  12. 12Do you use any AI tools (ChatGPT, Copilot, Claude) that may process customer data?
  13. 13Do you have a third-party risk management process for vendors with access to your data?
  14. 14Are all internet-facing assets inventoried and scanned for vulnerabilities?
  15. 15Do you have cyber liability coverage currently, or are you seeking it for the first time?
How we help

Been declined? Premium too high? Limits too low?

Most SMBs we work with came to us after a broker told them they didn't qualify, or quoted them a premium that made the coverage not worth it. We deploy the controls carriers require, document them properly, and act as your technical contact during underwriting.

Typical result: 5–15% premium discount, higher policy limits, and faster underwriting turnaround. Many insurers now require an active MSP or MSSP relationship for cyber coverage — we satisfy that requirement.

See MSP duties & benefitsGet a readiness review

Readiness review — what you get

  • Gap assessment against insurer questionnaire
  • Implementation plan for missing controls
  • Documentation package for your broker
  • Letter of attestation for the carrier
  • Premium impact estimate (5–15% typical)

Ready to get cyber-insurable?

Free 30-minute readiness review. We'll tell you exactly what to fix, in what order, and what to expect in premiums.

Book a free review