Skip to content
4
4UIT / OPS · OTTAWA Take a brief
Home/Blog/Cyber-insurance renewal in 2025
// COMPLIANCE By Amanjot Singh October 4, 2025 9 min read

Cyber-insurance renewal in 2025.

Premiums are flat or down for the first time since 2019 — but only for businesses meeting the new technical bar. Here is what the underwriters are actually asking, and what to do if your answers are "no."

Cyber-insurance underwriting changed in 2023. Premiums have stabilised; coverage has tightened; the technical questionnaire has become the actual policy. Here is what 2025 renewals are asking.

The landscape

Per the CIRA 2024 Cybersecurity Survey, 82% of Canadian organisations now have cyber insurance — up 23 percentage points from 2021. Adoption is mainstream. So is rejection: insurers will quote a policy at almost any price, but the premium is now a function of the technical questionnaire answers.

The questionnaire

Below is a synthesis of common 2025 questions across Canadian carriers. Specifics vary by underwriter — your broker has the exact form.

Identity and access

  • MFA on email — required.
  • MFA on remote access (VPN, RDP, SSH) — required.
  • MFA on privileged/admin accounts — required, often phishing-resistant (Authenticator app or hardware key, not SMS).
  • MFA on backup-system access — increasingly required.
  • Conditional Access or equivalent — common, not yet universal.
  • Privileged Access Management for admin accounts — common at larger SMBs.

Endpoint security

  • EDR on every endpoint — required. Brand sometimes specified.
  • 24/7 SOC monitoring (MDR or in-house SOC) — increasingly required, materially affects premium.
  • Centralised patching with documented cadence — required.
  • Removed admin rights from end users — required.

Email and web

  • Advanced email filtering (beyond default Exchange) — required.
  • DMARC at minimum p=quarantine, ideally p=reject — increasingly required.
  • DNS filtering — common, not yet universal.
  • Documented security-awareness training program — required.

Backup and resilience

  • Documented 3-2-1-1 backup — required.
  • Immutable backup copy — required for ransomware coverage.
  • Backups tested with documented restore drill — required.
  • Documented RTO and RPO — common.

Governance

  • Written information-security policy — required.
  • Documented incident-response plan — required.
  • Tabletop exercise within last 12 months — increasingly required.
  • Vendor risk-management process — common.

If your answers are "no"

Two paths.

Path A: declare and accept. Honestly answer "no," accept the higher premium or the exclusion. Better than a misrepresentation that voids coverage at claim time.

Path B: remediate. Most of the missing controls are 30–90 day projects. MFA rollout, EDR deployment, MDR engagement, backup architecture review, IR-plan workshop and tabletop. Done in the right sequence, by renewal time you can answer "yes."

What does not work: answering "yes" without the underlying control. Insurers test claims against the questionnaire. A material misrepresentation — even if the breach was unrelated — can void the policy.

What 4UIT covers

Our managed plans for SMB customers cover the technical controls above by default — MFA enforcement, Sophos Intercept X EDR, optional Sophos MDR, immutable backup with restore drills, monthly patching, email gateway. We also help draft the IR plan and run a tabletop exercise once a year, generating the date-stamped artefact your insurer asks for.

Talk to us about a pre-renewal review.

Sources: CIRA 2024 Cybersecurity Survey.

// Frequently asked questions

How many Canadian SMBs have cyber insurance?

Per the CIRA 2024 Cybersecurity Survey, 82% of Canadian organisations now have cyber insurance — up 23 percentage points from 2021. Adoption has roughly tripled in the segment over five years.

What is the most common reason for renewal denial?

Failure to meet the technical baseline — typically: no MFA on remote access, no EDR, no offline/immutable backup, no documented IR plan. Insurers will write the policy, but the premium becomes prohibitive or the coverage is excluded for the specific gap.

Is MFA required for cyber insurance in Canada?

Effectively yes. Every major Canadian cyber insurer now requires MFA on email, remote access (VPN), and privileged accounts as a condition of underwriting. Some require phishing-resistant MFA for admins.

What does the IR plan need to include?

At minimum: named decision authority, communication tree, breach-notification timeline, vendor contact list (insurance, legal, IR firm, law enforcement), pre-drafted holding statements, recovery prioritisation. Most insurers want to see a date-stamped tabletop exercise within the past 12 months.

Will MDR reduce my cyber-insurance premium?

Frequently yes. 24/7 SOC coverage is increasingly an underwriting question. Talk to your broker before renewal — the premium impact can be material.

// Related at 4UIT

Want IT that is quietly excellent?

20-minute call. No deck, no pressure. We listen, then propose.

Take a brief →
// FIELD NOTES NEWSLETTER

One email a month.

Field notes from the operator floor — Ottawa IT, cybersecurity, what's actually working. No filler, no listicles, no AI nonsense. Reply with anything you want us to write about.