Practical Guide
Cyber insurance renewal checklist for Canadian SMBs.
Use this guide 60-90 days before renewal or a first application to organize the evidence underwriters commonly ask for and identify gaps before the deadline becomes urgent.
Step 1
Who This Is For
Canadian SMBs preparing a cyber insurance renewal, first application, broker follow-up, or underwriter question set.
Teams where IT, outside IT provider, leadership, finance, and operations each own part of the evidence.
Organizations that know controls exist but do not yet have broker-ready proof.
Step 2
What To Check First
extra login verification for email, remote access, cloud platforms, and administrator accounts.
Endpoint protection coverage, monitoring ownership, and alert response process.
Backup recoverability, including immutable or offline copy and a recent restore test.
Patch management SLAs, tracking, exceptions, and proof of remediation.
Email security controls such as email domain protection posture, filtering, and reporting workflow.
Incident response plan, escalation contacts, tabletop evidence, and post-incident decision records.
Step 3
Evidence To Collect
Identity provider screenshots or reports showing extra login verification scope and admin coverage.
Device protection or monitoring report with coverage percentage and monitoring owner.
Backup configuration, immutable/offline proof, and latest restore test notes.
Patch policy, SLA report, vulnerability or compliance tracker, and aging exceptions.
Email security DNS records, anti-phishing controls, and reporting workflow evidence.
Incident response plan, tabletop notes, named roles, and evidence of lessons learned.
Step 4
Common Gaps
Extra login verification is enabled for email but not remote access, admin accounts, or cloud applications.
Backups exist but restore testing is old, informal, or not documented.
Patch reports exist but exceptions do not have owners or target dates.
Incident response is written but has not been tested with the actual leadership team.
The broker-ready summary overstates maturity because evidence is stale or incomplete.
Step 5
Practical Checklist
Confirm which systems are in scope: email, cloud apps, remote access, servers, endpoints, cloud software administrator accounts, backup systems, and customer-facing platforms.
Assign one owner per evidence item. Avoid "IT" as the owner unless a named person is accountable for the answer and proof.
Label each item as ready, partial, missing, stale, internal-only, or needs broker clarification.
Turn every partial or missing item into a dated action: quick fix, 30-day remediation, 60-day remediation, 90-day remediation, or exception decision.
Prepare a plain-language summary for the broker that separates current state, evidence available, remediation in progress, and known exceptions.
Step 6
Decision Points
If the evidence is mostly ready, focus on freshness: dates, owner confirmation, and safe-to-share status.
If the controls exist but evidence is weak, start with an evidence pack before changing the control stack.
If the controls are missing or unclear, use a 30/60/90 remediation plan so the broker sees ownership and realistic timing.
If the deadline is close, prioritize issues that are easily exploitable, carrier-critical, or likely to trigger follow-up questions.
Step 7
When To Ask For Help
The renewal is within 60 days and several evidence owners are unclear.
A broker or carrier asks follow-up questions that the team cannot answer confidently.
The organization needs a remediation plan with owners, dates, validation evidence, and exception language.
The team needs to align security work with Canadian SMB baseline control expectations without turning the renewal into an oversized audit project.
Related Template