Why Canadian SMBs Are Failing Their Cyber Insurance Renewals

The renewal letter you didn’t expect

Last quarter, a 90-person financial advisory firm in Ontario received a non-renewal notice from their cyber insurer. They’d had the same policy for four years. No claims, no incidents. The premium had crept up, but it always renewed.

This time it didn’t.

The insurer’s questionnaire had changed. It now required documented evidence of MFA coverage across all users, EDR on every endpoint, immutable backups with a tested restore, and a written incident response plan — with the date of the last tabletop exercise.

The firm had most of these controls in place. But they had no documentation, no centralized evidence, and no way to prove it in the two-week window the broker gave them.

Why this keeps happening

Cyber insurers have quietly become compliance regulators. They’ve hired security teams, built scoring models, and started denying claims — and renewals — on the basis of control gaps that weren’t on their questionnaire two years ago.

The problem isn’t that SMBs lack security. It’s that they lack evidence.

MFA is turned on. But is it phishing-resistant? Is it on every account, including service accounts? Can you prove it?

EDR is deployed. But what percentage of endpoints? How old is the signature? Is the SOC watching the alerts, or just collecting them?

The insurer doesn’t know. And if you can’t prove it, they assume the worst.

The 28 controls that actually matter

In our experience running TruCompliance engagements across 180+ Canadian SMBs, insurers are scoring against a consistent set of controls — regardless of which insurer or which questionnaire format they use.

Here they are, roughly in priority order:

Identity controls (highest weight)

1. Phishing-resistant MFA on all accounts — FIDO2/passkey or hardware token. TOTP apps score lower.
2. MFA on privileged and service accounts — often missing, always scored.
3. Conditional access policies — device compliance required for M365 and internal apps.
4. Privileged access review — quarterly. Documented.
5. Offboarding process — how fast are departed employees’ accounts disabled? Must be under 24h.

Endpoint controls

6. EDR on 100% of managed endpoints — Windows, Mac, and mobile. Coverage percentage is scored.
7. EDR telemetry going to an active SOC — just having the agent isn’t enough.
8. Automated patching — OS and third-party. Policy documented, cadence enforced.
9. Disk encryption — Bitlocker or FileVault, escrow keys to a managed system.
10. Mobile device management — MDM policy applied to all devices touching corporate data.

Backup and recovery

11. Immutable backups — air-gapped or object-locked. Ransomware can’t reach them.
12. Backup scope — all critical systems including M365. Many SMBs miss email and SharePoint.
13. Tested restore — date of last successful restore, documented. Annual minimum.
14. RPO/RTO commitments — written and tested.

Network and perimeter

15. Next-gen firewall with IDS/IPS — managed and monitored.
16. Network segmentation — especially between workstations and servers/backups.
17. Remote access via ZTNA or VPN with MFA — basic VPN without MFA is a red flag.
18. Web filtering / DNS security — blocks malicious sites before the endpoint sees them.

Monitoring and response

19. SIEM or centralized log management — 90-day retention minimum.
20. 24/7 SOC or MDR — human eyes on alerts, not just a dashboard.
21. Incident response plan — written, approved by leadership.
22. IR tabletop exercise — date documented. Annual minimum.
23. Mean time to detect (MTTD) — some carriers ask for this explicitly.

Governance

24. Acceptable use policy — signed by all employees.
25. Security awareness training — annual minimum, phishing simulations preferred.
26. Vendor/third-party risk process — how do you onboard a new SaaS tool?
27. Change management policy — especially for infrastructure changes.
28. Board-level security reporting — quarterly. Written evidence of board awareness.

The order to roll them out

If you’re starting from scratch or trying to close gaps before a renewal, this is the order we use:

Month 1: Identity hardening. This is where the biggest gaps are and where insurers focus first. Deploy phishing-resistant MFA, enforce conditional access, audit privileged accounts, and run an access review. In Microsoft 365, this is 2-3 weeks of work.

Month 2: Endpoint and backup. Verify EDR coverage, enroll all devices in MDM, confirm backup scope and run a tested restore. Document everything.

Month 3: Network and monitoring. Enable SIEM ingestion, connect to a SOC, review firewall rules, enable DNS filtering.

Month 4: Governance. Finalize the IR plan, run a tabletop, confirm awareness training completion, get board sign-off on the risk register.

Month 5-6: Evidence package. Export your control evidence, write the attestation narrative, engage your broker early.

What “evidence” actually means

The insurer doesn’t want a conversation. They want a document with a date on it.

For each control, you need: what you have, who owns it, when it was last tested or verified, and proof in the form of a screenshot, a report, or a configuration export.

This is what our ISMS platform does automatically. It connects to Entra, Intune, ESET, NinjaOne, and Cloudflare — and maintains a continuously-updated evidence library for each control. When the questionnaire lands, you export and submit.

The bottom line

Cyber insurance renewals are now compliance audits in disguise. The firms that pass aren’t necessarily the most secure — they’re the ones who can prove they’re secure.

If your renewal is coming up in the next six months, now is the time to do an honest gap assessment. Not next month. Not after the renewal lands.

We do these gap assessments as part of every TruCompliance engagement, and we’ve started offering them as a standalone service for firms that aren’t ready for a full engagement yet.

Priya Sharma is the Virtual CISO at TruPoint Technology and runs TruCompliance engagements for financial, professional services, and technology firms across Canada.