Why this matters now
Cyber risk is a business reality and insurers now expect proof that your basics work. Ransomware-as-a-service, business email compromise, and supplier breaches have made the risk real for every organization, not just the largest firms.
Premiums have climbed and underwriting is tighter. Insurers now expect you to prove you’ve put basic, high-impact protections in place. If you can’t show them, you may face higher costs, limited coverage or a denied claim when you need it most.
How insurers set the bar
In Canada, laws like PIPEDA (and provincial equivalents) raise expectations but don’t define day-to-day “safe.” Insurers have stepped into that gap. Most carriers use the NIST Cybersecurity Framework (CSF) as a practical benchmark.
CIS Controls are referenced too, but the real emphasis is whether obvious, high-value safeguards are live and working.
“Ultimately, the insurance companies want ‘the obvious things’ to ensure they’re not insuring low-hanging fruit. If you meet their requirements, you often have a reasonable posture,” explains Andriy Marchyshyn, vCIO Team Lead at Sirkit.
Must-have controls insurers actually ask about
You’ll encounter the following in most applications and underwriting interviews. They’re all included in Secure 2025:
- Multi-Factor Authentication (MFA) everywhere: Microsoft 365, all SaaS, VPN/remote access, and privileged/admin accounts.
- Endpoint Detection & Response (EDR/MDR) with human review.
- Backups/Archiving for Cloud Services such as Microsoft 365 and Google
- Critical Server onsite, offsite and immutable backups, as well as periodic restore verifications
- Immutable, offsite backups for Microsoft 365 (Email, SharePoint, Teams, OneDrive) and critical servers, with periodic restore verification.
- Annual penetration testing that leads to remediation.
- Ongoing employee awareness with recurring phishing simulations.
- Least-privilege access and documented change management.
- Frequently requested for higher limits/risk: 24/7 SOC coverage or equivalent.
How they verify (the SMB reality)
“Checkbox security” is over, but most small and mid-sized organizations won’t face a full-blown audit. Underwriters typically start with yes/no attestations (MFA, EDR/MDR, backups, etc.). Misrepresenting is risky: if a later investigation shows the answers weren’t accurate, claims can be denied.
Expect requests for policy and planning evidence, like Business Continuity (BCP) and Disaster Recovery (DR) plans, security and access standards (including MFA enforcement).
Carriers may ask for operational proof on demand (MDR alert summaries, backup status or restore confirmations, MFA logs) to confirm controls are active. The most rigorous checks happen at claim time, when forensic reviews look at logs, actions taken, and whether procedures were followed.
When carriers scrutinize your response, speed is part of the story. Sirkit’s 36-second average hold time, 70% same-day ticket resolution, and 95%+ CSAT demonstrate operational readiness that reduces exposure while issues are contained.
Formal third-party certifications (e.g., SOC 2, ISO 27001) are generally reserved for larger enterprises or heavily regulated industries; for SMBs, attestations plus spot evidence are the norm.
What to have ready in 2025 (short list, big impact)
- Current infrastructure diagram that matches reality.
- Documented policies: BCP, DR, access control/MFA, backup, and incident response.
- MFA is enabled across all services for users and admins.
- Backup policy and periodic verification (be ready to show evidence if the carrier asks).
- Access/admin logs and a recent external penetration test appropriate to your size/industry, with remediation tracked to closure.
Looking ahead to 2026 and beyond
Underwriting is moving toward continuous assurance. Expect more emphasis on zero-trust access, AI/ML-powered threat dashboards, formal vendor risk management, and cloud misconfiguration prevention with continuous posture monitoring.
Even if you’re mid-journey, a credible security strategic roadmap often improves underwriting outcomes because it demonstrates accountability and intent.
How Sirkit keeps you insurable and safer
Secure 2025 is designed around what carriers want to see: MDR/EDR with 24/7 overwatch, Microsoft 365 backups, phishing training, and annual penetration testing, all layered on proactive care and monitoring.
Your vCIO and Proactive Team keep the security roadmap aligned with business goals, deliver clear cybersecurity guidance and ensure you’re ready for underwriter interviews and compliance reviews.
The result is practical, measurable security that reduces day-to-day risk and makes it easier to secure, keep, and use cyber insurance when it matters.
