How do you survive a 2026 cyber insurance renewal? The 90-day playbook

1. Why does cyber insurance renewal matter more in 2026?

The Canadian cyber insurance market for oil and gas mid-market hardened materially through 2024-2026. Operators who renewed in 2022 at modest premium increases and basic attestation requirements are now facing a different market: named-product attestation, immutable backup verification, phishing-resistant MFA requirements, and increasingly documented evidence of operational practices rather than policy statements.

Three forces drove the shift:

• Loss experience. Canadian oil and gas saw a 40% increase in ransomware attacks in early 2024, with $4.4M average ransom demand. Carriers priced the loss data.
• Maturity of cyber tooling. Gartner Leader products (SentinelOne, Proofpoint, Veeam, Microsoft Defender) now have measurable detection and response advantages over white-label or mid-tier alternatives. Carriers have learned to discriminate.
• Underwriter consolidation. Fewer carriers writing the segment means tighter underwriting discipline across what remains.

The operators who get cyber insurance renewals right in 2026-2027 share a common pattern: they treat the renewal as a 90-day project, not a one-week scramble. This guide is the 90-day project.

2. What does the 90-day timeline look like?

The renewal preparation breaks into three distinct 30-day phases. Each phase has specific deliverables, specific owners, and specific decision points.

Days 90-60 - Inventory and Gap Analysis

Catalog current cyber posture against the 2026 carrier checklist. Identify gaps. Categorize by severity (high/medium/low). Build the remediation backlog. This is the diagnostic phase - no remediation yet, just honest assessment.

Days 60-30 - Remediation Execution

Execute on the top high-severity gaps. The work is bounded by the 30-day window - what you can remediate cleanly in 30 days versus what becomes part of a longer roadmap with disclosure to the broker.

Days 30 to Renewal - Documentation and Questionnaire

Compile evidence packages for each control. Complete the questionnaire with confidence. Engage the broker proactively. Submit clean documentation that supports favorable underwriting.

3. Days 90-60 - Inventory and gap analysis

The first 30 days are entirely diagnostic. The goal is honest cataloguing of where you actually stand. Operators who try to remediate before they've completed the diagnostic typically miss the highest-leverage gaps.

The structured inventory

Work through the twelve controls framework systematically. For each control, document four things:

1. Named product or capability. What specifically is deployed? (Not "we have endpoint protection" - the actual product name.)
2. Deployment coverage. What percentage of endpoints, accounts, or systems is covered?
3. Documentation status. Is there evidence (architecture diagrams, configuration screenshots, deployment reports) you could produce in 24 hours?
4. Testing evidence. When was this last tested, audited, or verified independently?

The deliverable from this 30-day phase is a one-page summary per control plus an aggregated composite cyber score (out of 60 - see The Twelve Controls Chapter 11).

Gap categorization

Once the inventory is complete, categorize gaps by remediation severity:

• High severity (must fix before submitting questionnaire): Missing named-product attestation, no immutable backups, no MFA on privileged accounts, no 24/7 monitoring with evidence. These will trigger declination or material premium increase.
• Medium severity (should fix, broker can negotiate): Partial deployment coverage, documentation gaps, testing more than 12 months old. Material to pricing but not necessarily disqualifying.
• Low severity (acknowledge as roadmap): Mature controls with continuous improvement opportunities. Document the improvement plan; not necessary to fully remediate before renewal.

4. Days 60-30 - Remediation execution

With the diagnostic complete, the middle 30 days focus on high-severity remediation. The constraint isn't the work itself - it's prioritization. Remediating ten things partially is worse than remediating three things completely.

The remediation prioritization matrix

For each high-severity gap, assess:

• Renewal impact. How much does this specific gap affect the questionnaire and pricing?
• Effort to remediate. Can this be fixed cleanly in 30 days, or does it require longer-term work?
• Documentation requirements. What evidence does the carrier expect, and what does it take to produce?

Three patterns of high-severity remediation we see most often:

Pattern A - Named product migration (EDR or email security)

White-label EDR or "MSP-branded" email security gets called out by carriers. Migration to a Gartner Leader (SentinelOne, Proofpoint, Microsoft Defender) is 30-60 day work depending on environment size. Doable in the renewal window if started promptly.

Pattern B - Immutable backup deployment

If backups aren't immutable, deployment of Veeam Hardened Repository or equivalent (Rubrik, Cohesity immutable snapshots, S3 Object Lock) is 14-21 days of focused work. Plus the test restore that produces the evidence the carrier wants.

Pattern C - Phishing-resistant MFA on privileged accounts

Order FIDO2 keys (YubiKey or similar) for the 5-10 privileged accounts. Enroll via Entra. Configure Conditional Access policies. Two weeks of work for a small operator. The cost is $50/key plus admin time - bounded and defensible.

5. Days 30 to renewal - Documentation and questionnaire

The final 30 days are about compilation, not new work. The remediation is done (or honestly disclosed); now the goal is producing the cleanest possible package for the underwriter.

The evidence package per control

For each of the twelve controls, the questionnaire-supporting evidence package includes:

• Architecture diagram or screenshot showing the deployed capability
• Configuration documentation showing key settings (MFA enforcement, immutability retention period, monitoring coverage)
• Coverage report showing deployment percentage
• Recent testing or review evidence (tabletop summary, test restore log, audit finding)
• Vendor SOC 2 or attestation for critical vendors providing the capability

The evidence doesn't go to the carrier proactively - it's held in the data room for response to specific carrier questions. The underwriter's confidence that you have the evidence is what matters as much as the evidence itself.

Broker engagement

Three points of engagement with your broker in this final window:

1. Day 30: Walk through the questionnaire responses together. Identify any areas where you're uncertain about how to characterize current state.
2. Day 20: Submit the completed questionnaire and supporting documentation. Brief the broker on any disclosures you've made.
3. Day 10: Pre-meet on initial carrier feedback. Be available for any clarifying questions before the formal terms come back.

6. What does the underwriter questionnaire actually ask?

The 2026 cyber insurance questionnaire is more detailed than 2022-2023 versions. Specific sections require specific answers.

Section A - Organization profile

Standard. Revenue, headcount, industry classification, geographic scope. Match your accounting records.

Section B - Cyber controls

This is the substantive section. Twelve controls, typically with sub-questions per control. Answer with specifics:

• Do not write: "We have endpoint protection."
• Write: "SentinelOne Complete deployed across 97% of endpoints. Latest version. Centrally managed. Behavioral detection enabled. Telemetry feeds 24/7 SOC."

The specificity isn't legal exposure - it's the basis for favorable pricing. Vague answers get priced for risk that may not exist.

Section C - Incident history

Disclose accurately. Include incidents that were contained without material impact. The carrier values demonstrated incident response capability, not the absence of incidents (which is statistically unlikely and read as either luck or non-detection).

Section D - Vendor and supply chain

New requirement in 2026. Document the tiered vendor program (Tier 1 with SOC 2, Tier 2 with light questionnaire, Tier 3 inventory only). Include the named tier-1 vendors and their attestation status.

7. Which controls actually pass - and which ones quietly fail?

Control-by-control reference for the 2026 underwriter expectations.

Control 1 - Identity & Access

Passes: Microsoft Entra or Okta or equivalent. SSO above 80%. Documented offboarding. Privileged account separation.

Doesn't pass: Per-application authentication. Local AD only with no cloud identity provider. Undocumented offboarding.

Control 2 - Multi-Factor Authentication

Passes: Phishing-resistant MFA (FIDO2) on privileged accounts. Number-matching authenticator on general workforce. SMS only as fallback.

Doesn't pass: SMS as primary MFA method. No MFA on privileged accounts. MFA optional rather than enforced.

Control 3 - Endpoint Detection & Response

Passes: Named Gartner Leader (SentinelOne, CrowdStrike Falcon, Microsoft Defender for Endpoint Plan 2). Deployment coverage above 95%. 24/7 monitoring with named SOC.

Doesn't pass: White-label or rebranded EDR. Traditional antivirus only. "We have endpoint protection" without product naming.

Control 4 - Email Security

Passes: Named Gartner Leader (Proofpoint, Mimecast, Abnormal, Microsoft Defender for Office 365 Plan 2). DMARC/DKIM/SPF configured. AI-augmented detection enabled.

Doesn't pass: "Built-in Microsoft 365 protection" alone (it's the floor, not the ceiling). White-labeled email security.

Control 5 - Backup & Recovery

Passes: Veeam, Rubrik, or Cohesity (Gartner Leaders). Immutability enabled with 14+ day retention. Test restore within last 90 days, documented, signed off.

Doesn't pass: NAS backups on the same network as production. No immutability. Test restore more than 12 months old.

Control 6 - Network Segmentation

Passes: IT/OT segmentation with documented architecture diagram. Controlled crossings via jump host. Independent OT monitoring (Claroty, Nozomi).

Doesn't pass: "Our networks are segmented" without architecture documentation. Corporate VPN routing into OT.

Control 7 - Vulnerability Management

Passes: Regular scanning (monthly minimum), prioritized remediation, evidence of cadence. Critical CVEs patched within defined SLA (typically 7-14 days).

Doesn't pass: No formal scanning. Patches deployed ad hoc. No documented remediation tracking.

Control 8 - Logging & Monitoring

Passes: Centralized logging. SIEM or equivalent. 24/7 analyst review. Recent detection evidence.

Doesn't pass: Logs sitting in tools nobody reviews. Alerts going to email with no SOC.

Control 9 - Incident Response

Passes: Documented IR plan. Tabletop within past 12 months with named participants and after-action. 24/7 SOC with named locations and response SLAs.

Doesn't pass: No documented IR plan. No tabletop in recent memory. "24/7 alerting to email" with no human monitoring.

Control 10 - Vendor Risk Management

Passes (new 2026 requirement): Tiered vendor program. SOC 2 collection for Tier 1. Vendor inventory documented. Annual review for critical vendors.

Doesn't pass: No vendor program. "We trust our vendors."

Control 11 - Awareness Training

Passes: Quarterly training. Phishing simulation with measurable results. Completion tracking.

Doesn't pass: Annual training only. No phishing simulation. No completion tracking.

Control 12 - Governance

Passes: Board cyber reporting at least annually. Named CISO function (internal or fractional). Documented improvement program.

Doesn't pass: No cyber discussion at board level. No named cyber owner.

8. What if you're declined? The 30-day recovery plan

If primary cyber insurance is declined despite preparation, three structured next steps:

Days 1-5 - Understand the specific declination reasons

The carrier should provide specific reasoning. Common patterns: cyber control X below threshold, claim history concerns, industry segment exposure. Document the specifics.

Days 6-15 - Engage alternative markets

Your broker should have access to specialty markets (Lloyds syndicates, surplus lines, captive arrangements) for harder-to-place risks. The capacity exists but typically at materially higher premium with additional exclusions.

Days 16-30 - Address declination reasons for next cycle

The decline is data. Use it. Remediate the specific gaps for next year's renewal. Operators declined in one cycle often renew successfully the following year after focused remediation.

9. Worksheets and templates

The full set of worksheets used in this playbook:

• Worksheet 1 - Twelve Controls Inventory (included above)
• Worksheet 2 - Gap Categorization Matrix (high/medium/low by control)
• Worksheet 3 - Remediation Plan Template (per high-severity gap)
• Worksheet 4 - Evidence Package Checklist (per control)
• Worksheet 5 - Questionnaire Response Drafting Guide
• Worksheet 6 - Broker Engagement Log

The complete worksheet templates are available as a downloadable set in the IT-and-the-Cycle Assessment process. They're also referenced in detail in The Twelve Controls, Chapter 8.