Cyber insurance used to be the easy answer. A premium, a policy, a piece of mind. In 2026, it's none of those things at least not without real preparation. Premiums for Canadian small and mid-sized businesses are still elevated after the ransomware repricing that began in 2021. Underwriting has tightened. Some carriers have exited the SMB market entirely. And a meaningful percentage of the claims that do get filed are now being denied or partially denied usually because of a gap between what the business said it had on its application and what the forensic investigation actually found.
If you're renewing in 2026, or buying for the first time, the rules have changed. This is the practical guide to what Canadian SMBs need to qualify, what to expect on the application, and what's actually getting claims denied across the country.
Cyber insurance in 2026 is no longer a transfer of risk. It's a transfer of risk on the condition that you maintain a specific stack of controls. Miss one, and the policy may not respond when you need it most.
Canadian cyber insurance has gone through three distinct phases in five years. From 2018 to 2020, it was inexpensive and lightly underwritten a checkbox most CFOs ticked because it was cheap. From 2021 to 2023, after the ransomware surge, premiums rose sharply (often 100–300% on renewal), retentions doubled, and underwriters demanded technical questionnaires that most SMBs couldn't credibly answer. From 2024 onward, the market has been re-stabilizing on a new floor: premiums down from their 2022 peak but still well above 2019 levels, with underwriting that now reads more like a security audit than an insurance application.
Several global carriers have pulled back from sub-100-user accounts in the Canadian market, leaving SMBs to a smaller pool of specialty insurers and managing general agents (MGAs). Practical effect: you have fewer carriers competing for your business, and the ones who remain are pickier about who they'll write.
For a typical 50-person Canadian professional services firm with $5M–$10M in coverage, current premiums sit in the $4,000–$12,000 CAD per year range, with retentions starting around $10,000 CAD. That's down from 2022 peaks but still meaningfully higher than the pre-2021 environment. Pricing is driven less by industry now and more by your demonstrated security posture two firms in the same sector with very different control maturity will see very different premiums.
Carriers no longer simply price your risk. They prescribe what your security stack must look like to be considered insurable at all. Below a certain control threshold, you cannot buy meaningful cyber insurance at any price. This is the most important commercial reality of the 2026 market: the question is not how much you'll pay, it's whether you qualify.
The specific list varies by carrier, but the consensus across Canadian underwriters in 2026 looks like this. If you can't credibly attest to all seven, expect either a quote refusal or a heavily sub-limited policy with a sublimit on ransomware that makes the coverage cosmetic.
Basic SMS or app-based MFA is no longer sufficient for several major carriers. Number matching is the floor. Passkeys, FIDO2 hardware tokens, or Microsoft Authenticator with number matching are what underwriters now expect particularly for email accounts, VPN access, and any privileged or admin account. The reason: attacker-in-the-middle phishing kits have made standard MFA bypass routine, and carriers have seen the loss data.
Traditional signature-based antivirus is treated as legacy. Carriers want EDR or XDR products that monitor endpoint behaviour in real time and can isolate a compromised device automatically. The names underwriters know and accept include the major Microsoft, SentinelOne, CrowdStrike, ESET, and Sophos enterprise lines. "We have antivirus" is not an acceptable answer in 2026.
Backups are the most heavily scrutinized control because they're the single biggest determinant of ransomware loss size. Carriers want to see backups that meet three criteria: immutable (cannot be encrypted or deleted by ransomware once written), offline or air-gapped (not continuously accessible from production systems), and tested (you must be able to demonstrate restoration). Cloud-only backup with the same credentials as production is no longer credible.
Email is still the entry point for most claims. Carriers now expect SPF, DKIM, and DMARC properly configured (DMARC at p=quarantine or p=reject, not p=none), plus an advanced email security layer Microsoft Defender for Office 365, Proofpoint, Mimecast, or equivalent. The questionnaire will ask about each one specifically.
Domain admin accounts cannot be used for daily work. Privileged actions must be separated from standard user accounts. For larger SMBs, carriers expect a privileged access management (PAM) solution; for smaller, they at least expect a documented separation of admin and user identities, and a quarterly review of who holds privileged access.
Annual training is the floor. Quarterly is preferred. Documented phishing simulations are increasingly expected, with metrics on click rates and remediation. Some carriers will ask for the platform name and the most recent simulation results during underwriting.
Carriers want to see a written incident response plan that names roles, defines escalation thresholds, and includes the carrier's breach hotline as a contact. They also want to see evidence the plan has been tested in the last 12 months typically through a tabletop exercise. "We'd call our IT provider" is not a plan. It's a default reaction.
Claim denials in the Canadian SMB segment cluster around five recurring patterns. None of them are obscure. All of them are avoidable.
The most common denial cause. The application asked whether MFA was enforced on all email accounts. The business answered yes. Forensics showed three accounts — including the one that was compromised — without MFA. The carrier denied the claim on the basis of material misrepresentation. This pattern repeats across MFA, EDR coverage, backup testing, and privileged account separation. The lesson: never sign an application without verifying the underlying controls are actually in place across the entire estate, not just "mostly."
Even where the application was accurate at signing, controls drift. A new SaaS app gets onboarded without MFA. EDR fails on a server and isn't reinstalled. Backup jobs start failing silently. If the gap exists at the time of the incident, the carrier will find it during forensics. The remedy is continuous monitoring of the insured control set — not just an annual check.
Carriers require timely, credible forensic evidence to validate the loss. SMBs that don't preserve logs — or whose logs are wiped during a ransomware event because they live on the same compromised infrastructure — can't substantiate the claim. Centralized log retention (off-domain, immutable) is increasingly an underwriting requirement for this reason.
Most policies require notification within 72 hours of discovery. Many SMBs don't recognize they have a covered incident until a week or more in, and notification windows expire. Putting the carrier's hotline on the IT provider's incident response checklist solves this; not having it in writing is the cause of more late-notification denials than anything else.
Coverage carve-outs are tighter than they were five years ago. Common exclusions in 2026 Canadian policies include: ransom payments to sanctioned entities (now subject to OFAC and Canadian sanctions screening), social engineering losses where the loss arose from voluntary fund transfers (often under sub-limit), and losses arising from unpatched known vulnerabilities. Read the exclusions carefully particularly the patching exclusion, which is now common.
If your premium quote feels high, there are specific levers that can move it down — and several common asks that don't.
A 2026 cyber insurance application for a Canadian SMB now runs 8 to 25 pages. Expect detailed sections on:
Many sections require evidence: configuration screenshots, vendor invoices, signed attestations. The application is now closer to an audit. Allocate two to four weeks for proper completion if you're working with a managed IT provider; longer if you're not.
Three composite scenarios based on patterns we've seen across the Canadian market illustrate what happens when the controls don't match the application.
A 60-person Calgary professional services firm checks "MFA enforced on all accounts" on its renewal questionnaire. Six months later, an attacker compromises a service account that was excluded from the MFA policy. Ransomware is deployed. The firm files a claim for $400,000 in business interruption and remediation. The carrier conducts forensics, identifies the unprotected service account, and denies the claim citing material misrepresentation. The firm pays out of pocket.
A 35-person Toronto manufacturer is breached through an unpatched VPN appliance with a publicly disclosed CVE that was 9 months old at the time of the incident. The policy includes an exclusion for losses arising from unpatched vulnerabilities older than 30 days. The carrier denies most of the loss and pays only forensic costs.
An 80-person Edmonton engineering firm with a managed IT provider has documented MFA on every account, EDR with isolation enabled, immutable backups tested monthly, a written incident response plan, and quarterly phishing simulations. An attacker compromises an executive's laptop through a malicious browser extension. EDR isolates the device within minutes; the IT provider notifies the carrier within four hours; backups restore affected files; total downtime is 6 hours. Total claim: $35,000 in forensic and notification costs. The carrier pays in full and offers a renewal discount.
The difference between Scenario 1 and Scenario 3 is not the quality of the attacker. It's the quality of the control posture and the documentation behind it.
GAM Tech has been running security and managed IT for Canadian businesses since 2012. We are SOC2 certified, B-Corp certified, and operate a 24/7 internal team never outsourced across Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal. For clients renewing or pursuing cyber insurance, our role typically covers four areas:
For clients who experience an incident, we are the first call and we initiate the carrier notification process inside the contractually required notification window. That single procedural detail prevents more late-notification denials than any other practice.
For a typical 50-person Canadian SMB with $5M–$10M in coverage, premiums in 2026 range from approximately $4,000 to $12,000 CAD per year, with retentions starting around $10,000 CAD. Pricing is driven primarily by your security control posture rather than industry alone. Two firms in the same sector with very different control maturity will see very different premiums.
Most Canadian carriers now require: phishing-resistant multi-factor authentication on all accounts, endpoint detection and response (not legacy antivirus), immutable and offline backups with documented restore tests, configured email security including DMARC and an advanced threat protection layer, privileged access separation, documented security awareness training with phishing simulations, and a written incident response plan tested within the past 12 months.
The five most common denial reasons in 2026 are: misrepresentation on the application (the controls described didn't exist at the time of the incident), failure to maintain stated controls (drift between the application and incident date), missing forensic evidence to substantiate the loss, late notification beyond the 72-hour window, and excluded loss types such as unpatched vulnerabilities or sanctioned-entity ransom payments.
Increasingly, no. Several major Canadian carriers now require phishing-resistant MFA number matching at minimum, and ideally passkeys or FIDO2 hardware tokens particularly for email, VPN, and privileged accounts. Standard SMS or basic app-based MFA is treated as insufficient by underwriters because attacker-in-the-middle phishing kits have made it routinely by passable.
Most Canadian cyber insurance policies include ransomware coverage, but with conditions. Payments to entities on Canadian or U.S. sanctions lists are excluded. Several jurisdictions are debating broader bans on ransom payments. Carriers also typically require their pre-approval before any payment is made and may limit the ransomware sub-limit well below the policy aggregate.
A current Canadian cyber insurance application runs 8 to 25 pages and typically requires evidence such as configuration screenshots, vendor invoices, and signed attestations. With a managed IT provider supporting the response, allocate two to four weeks for proper completion. Without one, longer and the application may not be credible enough to receive competitive quotes.
Yes, and increasingly should. A capable MSP can map your current posture against the carrier questionnaire, remediate gaps, provide a signed attestation of the controls in place, and monitor those controls continuously so you don't drift between renewal and the next incident. Some carriers reduce or waive their technical assessment fee when an MSP attestation is on file.
Many 2026 Canadian cyber policies now exclude losses arising from vulnerabilities that were publicly disclosed and unpatched for a defined period commonly 30, 60, or 90 days. If a breach is traced to an unpatched known vulnerability beyond that window, the related loss may not be covered. This makes documented vulnerability and patch management an underwriting expectation, not just a security best practice.
In Canadian cyber insurance, the terms are often used interchangeably, but technically the retention is the amount you absorb before coverage triggers. Retentions in 2026 typically start at $10,000 CAD for SMBs and scale with revenue and coverage limits. Some sub-coverages (such as funds transfer fraud) carry separate sub-limits and separate retentions.
For an SMB buying cyber for the first time, a broker with cyber specialization or a Managing General Agent focused on cyber will typically secure better quotes and structure the policy more thoughtfully than a generalist. Specialists have access to more carriers, understand the questionnaires, and know how to position your controls credibly.
Cyber insurance in 2026 is no longer something you can buy in a week and forget about for a year. It's a continuous alignment between your security controls and your policy's conditions. Get that alignment right, and the policy works the way it's supposed to. Get it wrong, and you may find out only at the moment you need the coverage most.
GAM Tech can run a pre-application control assessment, identify the gaps that will cause your premium to spike or your claim to be denied, and remediate them before you renew. With offices in Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal, and a 24/7 internal Canadian team, we support cyber insurance qualification for businesses anywhere in Canada.
Book a 30-minute cyber insurance readiness conversation to find out where you stand against current carrier requirements.
1 min read
Adrian Ghira : May 7, 2026 10:00:00 AM
Two years after Microsoft launched Copilot for Microsoft 365, most Canadian small and mid-sized businesses are still asking the same three questions:...
.jpg)
1 min read
Adrian Ghira : Apr 24, 2026 9:00:01 AM
Introduction: The Hidden Cost of "We'll Refresh When We Have To" Walk through the offices of most Canadian SMBs and you'll see a familiar pattern: a...
1 min read
Adrian Ghira : Apr 17, 2026 9:00:01 AM
Introduction: The Cost Nobody Calculates Correctly Every business owner knows that IT downtime is bad. But very few have actually sat down and...
Adrian Ghira
