Cyber Insurance in 2026: What Canadian SMBs Need to Qualify

Cyber insurance used to be a quick checkbox: fill in a short form, pay the premium, done. In 2026 it is a different product. Canadian insurers now underwrite your actual security, and for a small business that changes both what you pay and whether a claim will be paid at all.

If your renewal is coming up, it is worth knowing what carriers now expect, because the bar has moved and the paperwork is no longer just paperwork.

The new bar to get covered

Insurers have watched ransomware payouts climb, and they have responded by demanding real controls before they will write a policy. For a small Canadian business, a 2026 application now typically expects:

MFA on everything, not just email: Microsoft 365 or Google Workspace, VPNs and remote access, administrator accounts, and any cloud app exposed to the internet. Several carriers no longer accept basic text-message or app-code MFA on the most sensitive accounts.
Endpoint detection and response (EDR) on every device, a step beyond traditional antivirus.
Tested backups, kept offline or immutable so ransomware cannot encrypt them along with everything else.
Timely patching, with critical fixes applied within roughly 14 to 30 days.

The application itself has grown from a single page to somewhere between 8 and 25 pages. Plan two to four weeks to complete one properly, and faster if you have an IT provider who can answer the technical questions for you.

The part that catches businesses out: denied claims

Here is the trap. The application is a legal attestation. If you tick "yes, we have MFA everywhere" to get the policy, and a breach investigation later finds one admin account without it, the insurer can deny or reduce the claim. A growing share of claims are now being declined or partially paid for exactly this reason: a gap between what the business said it had and what the forensic review actually found. A policy you cannot collect on is worse than no policy, because you paid for comfort that was not real.

What it means for your premium

Pricing has shifted from "what industry are you in" to "how good are your controls." Two similar businesses can now pay very different premiums based on security posture alone. The upside is real: a business that can demonstrate MFA, EDR, tested backups, and staff training tends to earn materially better rates, so the work you do to qualify often pays for itself.

For a 1 to 50 person team in Canada

Treat the insurance application as a security to-do list, not as paperwork. Almost everything on it (MFA everywhere, EDR, tested backups, a real patch routine) is what you should have anyway, and now it also decides your premium and whether a claim pays. Two rules carry most of the value: answer the application honestly, and close the gaps before you sign rather than hoping they never come up.

The cleanest path is to get your controls to the insurer's bar first, then apply. That is what our Managed Security service is built to deliver, and our Cybersecurity Strategy advisory can map your current setup against what carriers now require. If you want to see where you stand, start with our guides to cybersecurity basics and backup and recovery.

The new bar to get covered

The part that catches businesses out: denied claims

What it means for your premium

Related

Cybersecurity basics for Canadian small businesses

Backup and recovery: the 3-2-1 rule explained

Managed Security