Cyber Insurance Documentation: What Insurers Ask For

Cyber insurance underwriting tightened dramatically after the 2020-2022 ransomware surge. Insurers learned that policyholders without specific controls were unprofitable to insure, and they responded by requiring documented evidence of those controls before issuing or renewing policies. If you have not been through a Canadian cyber insurance underwriting cycle in the last 18 months, the documentation expectations have probably moved beyond what you remember.

Why Documentation Matters

Insurers price risk based on what they can verify, not what you tell them. A policy application that says "we have MFA" without evidence is worth less to an underwriter than one with screenshots showing MFA configured for all users, conditional access policies in place, and reports demonstrating actual enforcement.

The harder consequence: if a claim happens and the documentation does not match the control state at the time of the incident, insurers can deny the claim. Several high-profile denials in 2023-2025 turned on this point. The application asked "Do you have MFA on all email accounts," the insured ticked yes, and post-incident forensics found a shared mailbox or service account without MFA that was the entry point. Coverage denied.

The Application Questionnaire

The typical 2026 cyber insurance application is between fifty and two hundred questions. The most common Canadian insurers (Beazley, Chubb, AIG, AXA, Coalition, At-Bay, and the major Canadian brokers' in-house programs) ask about the following categories:

• Multi-factor authentication coverage and enforcement
• Endpoint Detection and Response deployment
• Email security configuration (DMARC, anti-phishing, link rewriting)
• Backup strategy including immutability and testing cadence
• Privileged access management for administrative accounts
• Security awareness training cadence and phishing simulation results
• Incident response plan and last tabletop exercise date
• Vendor management and third-party risk practices
• Patch management cadence and exception process
• Network segmentation and remote access controls
• Data inventory and classification
• Insider threat controls

For a primer on what cyber insurance covers and whether you need it, see does your business need cyber insurance.

Evidence Categories Insurers Ask For

Beyond the questionnaire, underwriters increasingly request supporting documentation. The categories that matter:

Configuration screenshots. Microsoft 365 Secure Score, MFA enforcement reports, conditional access policy listings, anti-phishing policy configuration, Defender for Endpoint deployment status. Underwriters look for evidence that controls cover all users and devices, not just a sample.

Policies and procedures. Written information security policy, acceptable use policy, incident response plan, backup policy, data retention policy. Each typically two to ten pages, leadership-approved, dated, and reviewed within the last twelve months.

Training records. Evidence of security awareness training delivered in the last twelve months, including completion rates and phishing simulation results. Increasingly, insurers expect quarterly cadence rather than annual.

Vendor inventory. List of critical vendors with access to your data, evidence of due diligence on each, and contract clauses covering data protection and incident notification.

Past incident summary. List of security incidents in the past three years, with description and remediation. Insurers ask this not to deny coverage but to validate the control story.

Attestation vs Evidence

Some insurers accept attestation (you say it is so, you sign a statement). Others require evidence (you show the configuration, the report, the screenshot). The trend is rapidly toward evidence. Brokers report that 2026 renewals increasingly include external security scans, exposed-asset checks, and questionnaire validation calls with the insured's IT team.

For Canadian SMBs, the safest posture is to assume evidence will be required and prepare accordingly. Most SOC 2 evidence collection feeds cyber insurance documentation directly, which is one reason businesses pursuing SOC 2 readiness often see their cyber insurance premiums improve.

Renewal Is Tighter Than Application

Renewals are now stricter than new applications. The insurer has a year of data on your industry's claim history and a stronger basis to require additional controls. Common renewal asks that were not in the original policy:

• EDR deployed on every endpoint (including BYOD and contractors)
• Privileged access management beyond simple admin accounts
• Network segmentation between admin networks and user networks
• Documented tabletop exercise within the last twelve months
• External penetration test within the last twenty-four months
• Documented vendor risk management program

Going into a renewal without these in place often means premium increases of 40 to 100 percent, sub-limits on ransomware coverage, or non-renewal entirely.

Getting Ready

The practical playbook for a Canadian SMB approaching a cyber insurance application or renewal is to start three months before the policy date. Map your current control state against the categories above, identify the gaps, and prioritize the fixes that materially change the underwriting answer. A good MSP or virtual CISO can drive this process and assemble the evidence package.

For the broader compliance context (PIPEDA, PHIPA, SOC 2, retention, breach notification), see our compliance guide for Ontario businesses. For the cybersecurity controls themselves, see our cybersecurity guide for Canadian SMBs.