7 Tips to Get the Best Cyber Insurance Rates for Your Canadian Business

Cyber insurance underwriting has tightened significantly since 2023. Carriers are asking more questions, requiring more evidence, and pricing risk more precisely. But businesses that come prepared — with documented security controls and a clear risk narrative — can still secure competitive rates.

Here are seven concrete actions that will improve your cyber insurance application and lower your premium.

1. Document Your Security Controls Before You Apply

The single biggest factor in your premium is how you answer the application questionnaire. Underwriters assess risk based on what you can demonstrate, not what you claim. A business that says "we have good security" pays more than one that provides evidence of specific controls.

Before starting the application, prepare documentation for:

• Endpoint protection (antivirus/EDR) — vendor, coverage percentage, update frequency
• Network security — firewall type, network segmentation, intrusion detection
• Backup procedures — frequency, offsite/cloud storage, tested recovery
• Patch management — cadence, coverage, exception handling
• Employee security training — frequency, content, completion rates

2. Complete MFA Everywhere

Multi-factor authentication is the control that underwriters weight most heavily. If you don't have MFA on all externally-facing services — email, VPN, cloud platforms, admin accounts — many carriers will decline your application outright or add a significant premium load.

Where underwriters expect to see MFA:

• All email accounts (Microsoft 365, Google Workspace)
• Remote access (VPN, Remote Desktop)
• Cloud platforms and admin consoles
• Privileged accounts (domain admin, root, superuser)
• Financial systems and banking portals

Impact: Businesses with MFA deployed across all critical systems typically receive quotes 15-30% lower than comparable businesses without MFA.

3. Have an Incident Response Plan

An incident response plan (IRP) tells the underwriter that when — not if — a breach happens, you won't be scrambling. A documented IRP reduces the carrier's expected loss by ensuring faster containment, lower breach costs, and proper regulatory compliance.

Your IRP doesn't need to be a 50-page document. It needs to answer:

• Who leads the response? (Name, title, contact information)
• What are the first 4 actions in the first 4 hours?
• How do you preserve forensic evidence?
• Who is your pre-approved forensic investigation firm?
• What are your PIPEDA notification obligations and timelines?

4. Assess Your Vendors

Underwriters are increasingly asking about vendor risk management. If your MSP, cloud providers, and software vendors have access to your systems and data, the carrier wants to know you've assessed their security.

At minimum, document that you've:

• Identified all vendors with access to your data or network
• Requested and reviewed their security certifications (SOC 2, ISO 27001)
• Confirmed they carry their own cyber insurance
• Included breach notification requirements in your contracts

See our full guide on third-party cyber risk for a complete vendor assessment framework.

5. Run a Gap Analysis on Your Current Coverage

Before applying for new coverage, understand what you already have — and where the gaps are. Many businesses discover too late that their GL or E&O policy has cyber exclusions, or that their existing cyber policy has sub-limits that don't match their actual exposure.

Our free Gap Analyzer identifies:

• AI exclusions (ISO CG 40 47/48)
• Silent cyber exposure
• Ransomware sub-limits
• Regulatory coverage gaps
• Third-party incident coverage

Knowing your gap lets you apply for exactly the coverage you need — nothing more, nothing less. That precision gets better rates.

6. Be Honest on the Application

This should be obvious, but it's the most common application mistake. Inflating your security posture on the questionnaire doesn't lower your premium — it voids your coverage.

If you claim to have MFA everywhere and a breach reveals you didn't, the carrier will deny the claim based on material misrepresentation. Canadian insurance law is clear: inaccurate applications give insurers grounds to rescind coverage, even for unrelated claims.

Be honest. If you have gaps, acknowledge them and present a remediation timeline. Underwriters prefer a business that knows its weaknesses and is actively addressing them over one that claims perfection.

7. Work With a Cyber-Specialist Broker

Generalist insurance brokers are great for property and auto. Cyber insurance is a specialized market with its own underwriting language, carrier landscape, and negotiation dynamics. A broker who specializes in cyber insurance:

• Knows which carriers are competitive for your industry and size
• Can position your application to highlight security strengths
• Understands the difference between policy forms (occurrence vs. claims-made, deductible vs. retention, waiting periods)
• Has relationships with underwriters that can get your application favorable review
• Can benchmark your quote against market rates to ensure you're not overpaying

Cyber insurance premiums for Canadian SMEs typically range from $1,500 to $15,000+ annually depending on industry, revenue, and coverage limits. A specialist broker can often secure 20-40% better terms for businesses with strong security postures.