Cyber Insurance Readiness for Canadian Small Business
We help you get the right cyber insurance policy, prepare the evidence that unlocks lower premiums, and stand beside you when a claim needs to be filed.
A complete service, run by people.
We evaluate your current coverage, identify gaps, and recommend policies that match your actual risk profile.
Our security controls MDR, patching, MFA enforcement are documented evidence insurers use to lower your premiums.
Annual questionnaires answered with real data from your environment, not guesswork.
When a claim needs filing, we provide the incident timeline, forensic evidence, and logs insurers require.
We coordinate with your insurer's incident response panel to minimize dwell time and financial exposure.
Board-ready briefings that translate cyber risk into financial exposure your leadership can act on.
What Canadian cyber insurers require in 2026
Insurers have tightened underwriting requirements significantly since 2021. These are the technical controls most Canadian cyber insurers now require as a condition of coverage not just recommendations.
- Multi-factor authentication on all admin accounts Non-negotiable for every insurer. Policies are voided or claims denied if MFA was available but not enforced on compromised admin accounts.
- Endpoint detection and response (EDR) Traditional antivirus is no longer sufficient. Insurers want evidence of behavioural detection and response capability on all endpoints.
- Offsite backup tested within 90 days Backups that haven't been tested aren't evidence of resilience. Insurers ask for test dates and recovery time objectives in renewal questionnaires.
- Documented incident response plan A written plan with named contacts, escalation procedures, and insurer notification steps. Must include the 72-hour PIPEDA notification window.
- Email security (DMARC/DKIM/SPF) Domain authentication controls are increasingly required. Some insurers specifically ask for DMARC policy status during renewal.
- Vulnerability scanning Evidence of quarterly or continuous scanning with a documented remediation process. Unpatched critical vulnerabilities discovered during a claim can result in coverage exclusions.
- Privileged access management Separate admin accounts, least-privilege principles, and audit logs of privileged activity. Required by most enterprise-tier policies and increasingly by SMB policies.
PIPEDA and cyber insurance what SMBs need to know
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to notify the Office of the Privacy Commissioner and affected individuals whenever a breach creates a 'real risk of significant harm.' That notification must happen as soon as feasible in practice, insurers expect notification within 72 hours of confirming a breach.
Insurers increasingly require evidence that your incident response plan includes PIPEDA notification procedures. During a claim, they will ask: when did you know? What did you do? Who did you notify? A plan that doesn't address these questions slows claim processing and can trigger coverage disputes.
Quantm's incident response engagement maps your notification obligations directly to your insurer's requirements. We document the breach timeline, the categories of personal information affected, and the notification steps taken the exact evidence your insurer's claims team needs to process your claim without delay.
What an evidence pack includes
Insurers don't take your word for your security posture they ask for documentation. An evidence pack is the set of documents that proves your controls are real.
- Control attestation report A signed summary of which controls are in place, when they were last tested, and who is responsible for each.
- Vulnerability scan results The most recent scan output with a summary of open findings and their remediation status.
- Backup test verification A dated record of your most recent recovery test, including what was restored and how long it took.
- MFA deployment evidence A report showing MFA enrollment rates by user group, with admin accounts called out specifically.
- Policy documents Incident response plan, acceptable use policy, and remote access policy dated and signed by an owner.
What changes after week one.
You'll feel the difference fast fewer alerts, faster response, and a clearer picture of where your real risk lives.
- Reduce cyber insurance premiums by documenting your security posture
- Eliminate coverage gaps that leave ransomware or BEC losses uninsured
- Answer renewal questionnaires in hours, not days
- File claims with complete forensic evidence and incident timelines
- Give your board a clear picture of your residual cyber risk
From kickoff to coverage in days.
We review your current policy and map it against your real risk exposure.
Security controls are tuned and documented to meet insurer requirements.
We compile the evidence package and answer renewal questionnaires with you.
If an incident occurs, we provide the documentation insurers need to pay the claim.
Common questions, answered.
The things buyers ask us most about scope, onboarding, and what you'll see in your monthly report.
Ask us anythingStop hoping your policy covers you.
We'll review your current coverage and show you exactly what a ransomware or BEC incident would cost your business today.