Skip to main content
(226) 971-2731
Free Tool

Cyber Insurance Readiness Checker

Answer 15 questions about your security controls. We compare your answers to what Canadian cyber insurers require in 2026 and show where the gaps are that could block coverage or inflate your premium. No email required, results visible immediately.

0 of 15 answered
0%

Identity and Access

Identity controls are the highest-leverage area for cyber insurance. Almost every Canadian carrier now requires MFA enforcement at a minimum.

Is MFA enabled and enforced on email, VPN, admin accounts, and cloud apps?

Coverage must extend to admins, service accounts, and shared mailboxes. Any exception is a vector.

Are users on authenticator apps or hardware tokens (not SMS)?

SMS-based MFA is increasingly excluded by insurers because of SIM-swap attacks.

Do administrators have separate privileged accounts from their daily-use accounts?

Sharing the same identity for email and tenant admin is a common finding that increases underwriting risk.

Endpoints and Backup

EDR replaces legacy antivirus. Tested, immutable backups are the last line of defense against ransomware.

Is EDR (not legacy antivirus) deployed on every endpoint including BYOD?

Most insurers explicitly require EDR. Acceptable products include SentinelOne, CrowdStrike, Defender for Endpoint, and Sophos Intercept X.

Are operating systems and applications patched on a documented cadence with exception tracking?
Do you have tested backups including at least one immutable copy and Microsoft 365 protection?

Untested backups are not credible to underwriters. Microsoft 365 backup is increasingly explicit in applications.

Email Security and User Awareness

Email remains the most exploited attack surface. Insurers expect both technical controls and behavioral controls.

Is DMARC configured at quarantine or reject (not just monitor) on all sending domains?
Do you have anti-phishing policies including impersonation protection on executives and finance staff?
Do you run quarterly security awareness training with simulated phishing campaigns?

Annual training is the floor in 2026. Quarterly matches what most insurers now expect.

Incident Response and Governance

Insurers want to see that you can respond. The questionnaire questions get sharper here every renewal cycle.

Do you have a documented incident response plan including a call tree, severity levels, and external IR partner?
Have you run a tabletop exercise of the incident response plan in the last 12 months?
Do you have a documented vendor inventory with security due diligence and contract clauses?

Third-party risk management is a fast-growing underwriting area, especially after supply-chain attacks.

Policies and Documentation

Underwriters increasingly ask for evidence, not attestation. The documentation you produce here also feeds SOC 2 and PIPEDA.

Do you have a written information security policy approved by leadership and reviewed in the last 12 months?
Do you have a documented inventory of personal information and sensitive data with classification?
Have you had an external penetration test or vulnerability assessment in the last 24 months?

Answer all 15 questions to see your score, breakdown, and recommendations.

Want help acting on the result?

This tool gives you the picture. ClayGen helps you close the gaps. No pressure, no obligation, just a real conversation about your environment.

Book a Discovery Call