📝 CYBER · Blog

What do 2026 cyber insurance underwriters actually require from Canadian operators?

A clear breakdown of what Canadian cyber insurance underwriters require for 2026 renewals: the twelve controls, the questionnaire patterns, and what separates a clean re-up from a declined or surcharged renewal. For Canadian oil and gas mid-market operators.

Book the 30-min review More from CYBER

For: All operators · 10–300 people · 2026 cyber renewal

Cyber July 15, 2026 ~6 min read

What do 2026 cyber insurance underwriters actually require?

Halliburton changed the underwriting landscape in 18 months. Most mid-market Canadian energy operators discovered the change at renewal - sometimes catastrophically.

FOR: All operators · 10–300 people · 2026 cyber insurance renewal

By James D. Boyd · Global CIO Advisor · Vencer Group

Quick answer

For 2026 Canadian cyber insurance renewals, underwriters now require evidence across twelve specific control families - MFA on all admin access, EDR with documented coverage, immutable backups with test-restore evidence, identity hygiene with periodic access reviews, network segmentation for any OT exposure, vendor risk attestations, incident response runbook with tabletop log, and four more. The questionnaire format varies by carrier; the underlying requirements have largely converged.

Three months after Halliburton's August 2024 ransomware disclosure, every cyber insurance underwriter serving the Canadian energy market quietly tightened their renewal requirements. Most mid-market operators noticed in March 2026 when their renewal quotes came back 30% higher with new exclusions on incidents involving SMS-based MFA, white-labeled EDR, or backup configurations the carrier couldn't independently verify.

What changed between 2022 and 2026

The 2022 cyber insurance market was a hard market. Premiums spiked. Capacity contracted. Exclusions multiplied. By 2024 it had stabilized - premiums normalized, capacity returned, but with new minimum control requirements that became table stakes for any meaningful coverage.

2025-26 added another layer of tightening, driven specifically by the energy sector ransomware surge and the post-Halliburton environment. Zscaler reported a 935% year-over-year increase in oil and gas ransomware attacks in their July 2025 ThreatLabz report. Canada's overall ransomware count increased 194.5%. The carriers responded.

The current minimum requirements

What carriers serving Canadian energy mid-market are looking for in 2026:

  • Phishing-resistant MFA on privileged, executive, and remote-access accounts - FIDO2 keys or number-matching authenticator apps. SMS-based MFA is no longer accepted by major carriers.
  • EDR (Endpoint Detection & Response) deployed across all endpoints, with the carrier specifically wanting to know which product. Gartner Magic Quadrant Leaders pass. White-label antivirus increasingly does not.
  • Immutable offline backups verified within the previous 90 days, with test restore evidence.
  • Network segmentation between IT and OT with documented architecture diagrams.
  • Tested incident response plan - with evidence of a tabletop exercise within the past 12 months.

What this costs the unprepared operator

Three categories, in approximate order of materiality:

Premium increases. Operators who can't answer the questionnaire affirmatively are paying 20-40% more in 2026 than they paid in 2024 for equivalent coverage. Sometimes more.

Coverage narrowing. New exclusions are appearing for incidents involving SMS-based MFA, unmonitored EDR, or backup configurations the carrier can't independently verify. The exclusion language matters far more than the premium increase. A 20% premium increase on a policy that won't pay out is worse than a 40% increase on coverage that will.

Declination. Operators whose controls fall materially short of the underwriter checklist are increasingly declined for serious coverage entirely. They end up with placeholder coverage from non-A-rated carriers, often with limits too low to matter in a real incident.

The honest take
Cyber insurance in 2026 is genuinely valuable - but only if you can pass underwriting and only if you read the policy carefully. The right framing is that cyber insurance is the financial backstop on top of operational controls, not a substitute for them. Operators who deploy the twelve controls properly are also the operators who get the best coverage at the best rates. Operators who try to use insurance as a substitute for controls discover that the policy either won't bind, won't pay, or won't pay enough to matter.

The six diagnostic questions you can ask your MSP today

If you're heading into a renewal and your MSP says you're covered, the verification questions are:

  1. What is the actual product name of our EDR? Is it on the 2025 Gartner Magic Quadrant for Endpoint Protection Platforms?
  2. What is the actual product name of our email security? Same Gartner question.
  3. What is the actual product name of our backup software? Veeam, Rubrik, Cohesity, or another Gartner Leader?
  4. Is our backup configured with immutability enabled - verifiably, with documented test restore evidence within the last 90 days?
  5. Is our MFA phishing-resistant - FIDO2 keys for privileged accounts, number-matching authenticators for general workforce?
  6. When was our last incident response tabletop exercise, and is the after-action documented?

If the answers come back as "[MSP brand] EDR" or "we have backup" without specifics, you have a problem - and probably a renewal coming up.

If you have a renewal coming up in the next 90 days, the six diagnostic questions above are the right place to start. The full framework - what passes, what doesn't, what to deploy in what order - is in The Twelve Controls. Chapter 8 specifically covers cyber insurance in detail.

If you'd rather have someone run the diagnostic for you, the Cyber-and-the-Cycle Assessment is the structured way to do it - three to five days, written report, no obligation.

Next Step

Take it from here - three ways.

Self-Score · 2 min

Cyber Risk Self-Score

Where your posture stands against the 12 controls.

Take it →

eBook · PDF

The Twelve Controls

Cyber posture that survives renewal.

Read it →

30-Min Review

Talk to a sitting CIO about cyber insurance.

Schedule a call. No pitch, no proposal. Wherever and whenever it works for you.

Book the call →
The part where our lawyers smile

Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min CIO review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.

→ Book the 30-min review
More from the CYBER pillar
View all CYBER articles →