Cyber liability underwriting for Canadian small and mid-sized businesses has shifted materially in the last 24 months. Renewal requirements that were suggested three years ago are mandatory today. Coverage exclusions that were rare in 2023 are standard in 2026. Premium adjustments driven by specific external-facing configuration gaps are now common across the market.
This is a summary of what LeakTrace consistently observes when working alongside commercial insurance brokers whose SMB accounts are approaching cyber liability, errors-and-omissions, or business owner policy renewal. Written for commercial insurance brokers protecting their books and the SMB accounts trying to understand what is being asked of them.
What underwriters are now asking for
The renewal questionnaires arriving on SMB accounts in Canadian markets increasingly require documentation across a consistent set of controls. Brokers who see the pattern across multiple carriers report the following categories being scrutinized:
Email authentication posture
DMARC configuration on the insured's business domain is increasingly a hard requirement. Not merely present, but properly configured with a policy that provides actual protection. Underwriters have caught on to the pattern of insureds implementing DMARC with a permissive policy that provides no meaningful protection but satisfies a yes/no questionnaire response. Some carriers are now requiring evidence of the specific policy configuration.
Multi-factor authentication on privileged access
MFA on email, financial system access, and administrative accounts is table stakes. Absence of MFA is not merely a premium adjustment issue. It is increasingly an outright coverage exclusion for BEC-driven wire fraud losses.
Endpoint protection posture
Modern endpoint protection with active monitoring, not merely traditional antivirus, is increasingly required for accounts above certain revenue thresholds. Documentation of the specific product deployed, the coverage rate across the workforce, and the response protocol for detected threats is standard.
Backup posture and ransomware recovery capability
Documented backup rotation, offline or immutable backup storage, and tested recovery procedures are increasingly required. The "we run cloud backups" answer is no longer sufficient; underwriters want to see the specific configuration and the last recovery test date.
Third-party risk management
The insured's SaaS stack, vendor access controls, and shared-account elimination are appearing on questionnaires. The pattern is straightforward: attackers now compromise SMBs via the SaaS vendors those SMBs use, so underwriters price the vendor risk into the account.
Executive-personal exposure
Recently, some carriers have started asking about the exposure posture of the insured's executive leadership on data broker directories, because BEC attacks explicitly target the CEO or CFO's personal information to construct impersonation attempts. This is early-stage on questionnaires but appearing on larger accounts.
What routinely surfaces in pre-renewal scans of SMB accounts
The pattern across Canadian SMB accounts approaching cyber renewal is remarkably consistent:
- Missing or misconfigured DMARC on the insured's business domain
- Employee credentials from third-party breaches appearing in monitored databases
- Non-standard ports left open on public-facing infrastructure
- Aging content management systems and unpatched public services
- Absent or partial MFA rollout across critical access surfaces
- Backup configurations that would fail a modern ransomware recovery scenario
Each of these findings materially affects renewal underwriting outcomes. Some produce premium adjustments; some produce coverage exclusions; some produce outright non-renewal decisions from carriers with tight loss ratios in cyber lines.
What brokers can do about it
Pre-renewal exposure scan
Running a pre-renewal cyber posture scan on the insured 60 to 90 days before renewal surfaces the specific gaps that will affect the underwriter's decision. Brokers who deliver this to their SMB accounts, and offer a remediation path for the surfaced gaps, become materially more valuable to their clients than the carrier itself. The remediation window before renewal is where relationships and retention are made.
Documentation supporting the questionnaire response
The renewal questionnaire is a yes/no exercise; the underwriter's actual decision is driven by supporting documentation. A DMARC record printout, an MFA rollout certificate, a backup test log, and a recent external attack surface assessment together produce meaningfully better renewal outcomes than a bare questionnaire response.
Positioning the broker as the trusted advisor on cyber
The broker who understands what underwriters are asking for, who can translate the questionnaire into plain English for the insured, and who can offer a remediation path when gaps surface, becomes the client's cyber advisor by default. Retention improves. Cross-sell into cyber liability from existing E&O or BOP accounts becomes natural. Referral flow inside the broker's book of business compounds.
What this means for SMB accounts directly
The cyber posture requirements that carriers are now asking for are not going to relax. Loss ratios in cyber lines are pushing underwriting rigor upward across the entire Canadian market. SMB accounts that do not modernize their controls will face premium increases, coverage exclusions, or non-renewals over the next 24 to 36 months.
The controls themselves are not expensive relative to the insurance premium and the cost of a breach. The barrier is not budget; it is attention. Most SMB owners do not know what their carrier will ask for at the next renewal, and most brokers do not proactively surface the picture until the questionnaire arrives.
The path forward
Commercial insurance brokers with Canadian SMB books can materially improve retention, renewal outcomes, and client relationships by proactively running pre-renewal cyber posture assessments on their accounts. LeakTrace runs these as a courtesy for any Canadian commercial insurance broker with accounts approaching cyber, E&O, or BOP renewal in the next 90 days. Findings are delivered in a format that directly maps to what underwriters are asking for.