Home Blog
Services
IT Audit
IT Budget Audit
vCIOInterim IT ManagementCounter-ExpertiseBackup Testing and Recovery ReadinessIncident RecoveryStrategic PlanningProvider Relationship ManagementExpert WitnessLaw 25 ComplianceSME OfferHuman ResourcesHR Compliance and IT PoliciesLaw 27 CompliancePay Equity and CompensationIT PlacementISO 27001 SupportCAN/DGSI 104 SupportSOC 2 Readiness SupportCPCSC SupportTGV Certification SupportQuebec Edtech ComplianceCyber Insurance SupportCrisis Tabletop ExerciseISO/IEC 42001 AI Governance
ContactSchedule a callOur TeamAbout Us
Français
HomeBlogServicesContactSchedule a callOur TeamAbout Us
Français

Cyber Insurance Support

Your broker just sent you a 200-question questionnaire. We help you answer — without lying, without overstating.

Underwriting, renewal, broker and insurer mediation — on the policyholder's side, never the insurer's.

Cyber insurance support is a structured engagement that prepares your organization to correctly answer the underwriting or renewal requirements of a cyber insurance policy. Factero reviews insurer questionnaires with you, identifies the gaps between your actual posture and what you're tempted to declare, recommends corrective actions before submission, and supports you through exchanges with your broker or insurer. We don't sell insurance. We earn no commission. Our only interest is that your policy actually protects you when you need it — and that it isn't voided for misrepresentation the morning of the incident.
Talk to an expert

Who is it for?

Quebec and Canadian SMEs taking out cyber insurance for the first time and discovering 80- to 200-question technical questionnaires no one in the organization can answer with certainty.

Organizations that saw their premium increase significantly at the last renewal, received a proposal with exclusions, or were denied coverage, and want to understand why before going back to the market.

Municipalities, MRCs, townships and public bodies justifying their cybersecurity posture to an insurer in the context of a bid or mandate. Factero Advisory Services is registered on the SEAO (Quebec) and the Ontario Tenders Portal (Ontario).

Growing companies whose current coverage isn't keeping pace with evolving exposure — new markets, new data types, new critical vendors.

Organizations that recently experienced an incident and need to renew coverage after a claim — often a real technical and commercial challenge.

Leadership and boards wanting an objective reading of the current policy: what's covered, what isn't, where the blind spots are.

Companies negotiating a contract with a major client requiring specific coverage levels (often $5M to $25M) and wanting to validate their current policy's adequacy.

When does it help?

If you recognize yourself in any of these situations, this service is designed for you.
  • Your broker sent you a cyber insurance questionnaire and no one in your organization can answer 60% of the questions with certainty.
  • You're tempted to check "yes" on technical questions (MFA everywhere, tested offline backups, EDR on all endpoints, formal privilege management) because that's what's expected — but you know it's not quite true.
  • Your premium increased 30% to 200% at the last renewal and you want to know whether the market hardened or your risk profile deteriorated.
  • You received a proposal with explicit exclusions (ransomware, social engineering, funds transfer fraud) and want to understand how to regain full coverage.
  • A corporate client or bid requires an insurance certificate at a level your current policy doesn't reach.
  • You experienced an incident, your insurer paid — and renewal is suddenly complicated.
  • You want to know whether an unintentional misrepresentation in your questionnaire could be used by the insurer to deny a future claim.
  • Your leadership wants a plain-language reading of the current policy — limits, sub-limits, exclusions, conditions of application — without having to re-read 60 pages of insurance text.

What will you receive?

Checkbox icon

A critical review of underwriting or renewal questionnaires, with line-by-line identification of questions where your declaration could be challenged in a claim.

Checkbox icon

A prioritized remediation plan: what to implement (MFA on critical accounts, tested offline backups, anti-phishing training, privilege management) before submission, to honestly answer yes.

Checkbox icon

A gap analysis between your real exposure and current coverage — by scenario type (ransomware, social engineering fraud, data breach, business interruption, Law 25 privacy breach).

Checkbox icon

A management-language reading of your current policy: main limits, sub-limits per coverage, exclusions, preconditions, deductibles — translated into your operational reality.

Checkbox icon

A structured submission file: technical evidence, internal attestations, recent audit reports, backup tests, documented training — exactly what the insurer wants to see, in the format they expect.

Checkbox icon

Technical mediation with your broker or insurer during underwriting exchanges: we translate insurer requirements into concrete actions for your IT team, and we translate your operational realities into language the insurer will accept.

Checkbox icon

A comparative analysis if you receive multiple policy proposals — to distinguish what looks like a better commercial offer from genuinely better coverage.

Checkbox icon

A note for the board or leadership explaining the risk profile, the coverage obtained, residual blind spots, and strategic decisions to make.

Not a good fit?

  • Cyber insurance support works when the organization is willing to improve its posture if needed to honestly answer questionnaires. If the goal is to check "yes" everywhere without actually implementing the controls, we're not the right address — a misrepresentation can void your coverage the day you actually need it.
  • We're not an insurance broker and we don't sell policies. If you need someone to place you with an insurance market, your broker is the right person — and we can work with them (often the broker calls us, because they need a solid technical file for their negotiations).
  • We're not an insurance lawyer either. To interpret an ambiguous policy exclusion, negotiate contractual terms, or manage a disputed claim, your broker and legal counsel remain the references. Our role focuses on the cyber technical side: what the insurer wants to know, how to demonstrate it, how not to trap yourself.
  • If you already have a recent policy, well-suited to your profile, with no surprises at the last renewal, and your internal team already handles the required cybersecurity — you likely already have what you need. We'll discuss this openly at the discovery call.

How does the process work?

A rigorous and transparent approach, step by step.
Reading the current situation
We start by looking at where you stand: current policy (if any), claims history, most recent questionnaire, renewal deadline, contractual requirements from clients. We identify what's driving the engagement — first-time underwriting, difficult renewal, client requirement, post-incident — to scope precisely.
Critical reading of the questionnaire
We go through the underwriting questionnaire with you, question by question. For each: what you actually have in place, what can be documented as-is, what needs a quick fix before submission, and what must be declared as it is (sometimes the right answer is no — a well-explained no beats a contestable yes). The NIST-CSF framework structures this review by function (Identify, Protect, Detect, Respond, Recover) — also the language insurers understand.
Prioritized remediation plan
Where gaps exist between your current practices and insurer expectations, we build a plan prioritized by coverage impact: what changes the premium, what unlocks an exclusion, what raises the achievable limit. Some fixes are quick (activate MFA on admin accounts, verify backups are offline) — others need more structure (recurring anti-phishing training, documented recovery plan, independent audit). We implement with your IT team or in coordination with your MSP.
Building the submission file
We assemble the file the insurer (or broker) expects: independent audit report if relevant, documented backup test, incident response plan, attested training, certifications (Law 25, ISO 27001, CAN/DGSI 104, TGV, SOC 2 — as applicable). The idea: your broker has a complete, credible file when soliciting the market. A good file opens doors that bare questionnaires close.
Broker and insurer mediation
During underwriting exchanges, we translate. The insurer asks a precise technical question — we answer with evidence, in their language. You have a particular operational reality (legacy system, single supplier, sector constraints) — we explain it in a technical note that anticipates questions rather than waiting for them. Our role is strictly on the policyholder side: we never represent the insurer, earn no commission, have no arrangement with any insurance market. Our Charter of Independence requires this.
Final policy review and leadership note
Once the policy is issued, we read it for you. We provide a management-language note: what's covered, key sub-limits (often technical exclusions hide in sub-limits), preconditions for coverage to apply (notification within X hours, use of pre-approved DFIR providers, etc.), and residual blind spots leadership must consciously accept.

Frequently Asked Questions

Answers to the questions our clients ask before reaching out.
Why did our premium go up so much?
Three factors usually play together. First, the cyber insurance market has hardened overall since 2020-2022 under the impact of ransomware — all premiums rose regardless of profile. Second, insurers tightened technical requirements: what was acceptable three years ago (partial MFA, untested backups, missing EDR) now triggers surcharges or refusals. Third, your risk profile may have evolved: growth, new suppliers, new data types, more exposed sectors. Factero identifies which factor dominates in your case — because the strategic response differs. For a hardening market, we optimize presentation. For tightened technical requirements, we close gaps. For a changing profile, we revisit coverage adequacy.
If we check "yes" on the questionnaire when we don't really do that, is it serious?
Yes, and it's the most dangerous blind spot in cyber insurance. A misrepresentation, even unintentional, can be used by the insurer to deny or reduce a claim when you need it most. Checking "MFA on all admin accounts" when two legacy accounts don't have it is a fact the forensic expert will find. Checking "backups tested quarterly" when no one has done a real restore in 18 months is documented by the absence of a test report. Factero helps you answer honestly and with evidence: either we document what exists, or we fix it before submission, or we declare the gap alongside an action plan — often more accepted by the insurer than expected.
How long before renewal should we engage?
Ideally 3 to 4 months before the deadline. That allows the gap analysis, implementation of fixes that change the premium or unlock coverages (4 to 8 weeks), building the complete file, and giving the broker time to approach the market. Renewals negotiated 2 weeks before deadline happen under pressure — and pressure always favors the insurer, never the policyholder. For first-time underwriting, we can be faster (6 to 8 weeks) if your posture is already mature and the engagement is limited to structuring the submission file.
Will our broker be OK with Factero in the file?
In most cases, yes — and often the broker calls us first. A good broker wants a solid technical file to negotiate with markets. When the policyholder can't answer the questionnaires, the broker is in a tough spot: either help fill it in (and take on liability), or submit an incomplete file (and get a poor outcome). Factero brings the independent technical layer that's missing, without encroaching on the broker's role — they remain your representative to the insurance market. We regularly work with major brokers active in Quebec and Ontario, with no commercial arrangement with any of them. If your broker is reluctant about our presence, that's a signal worth discussing — a broker who doesn't want external technical expertise in the file isn't necessarily acting in your interest.
Are you an insurance broker?
No, and that's essential for our independence. Factero is not licensed as an insurance broker and sells no policies. We earn no commission, no rebate, no bonus from any insurance market, broker, or reinsurer. Our role is strictly on the policyholder side: preparing you technically, translating requirements, mediating technical exchanges. The broker remains your commercial representative to the market. Our Charter of Independence explicitly excludes any commercial arrangement with insurance market participants — this protects the value of our advice.
What types of incidents does cyber insurance typically cover?
Canadian policies generally cover four main families: (1) incident response costs — DFIR, legal fees, regulatory notifications, credit monitoring; (2) business interruption — revenue loss during the incident; (3) ransom and restoration — ransom payment (under strict conditions), system rebuild, data recovery; (4) civil liability — third-party claims (clients, employees) following a data breach. Common exclusions: acts of war (watch for the broad definition some insurers use), infrastructure in sanctioned countries, long-known unpatched vulnerabilities, insider fraud (sometimes excluded, sometimes covered under a separate coverage). Every policy is different — the critical reading of your contract is exactly what we do with you.
We had an incident last year. Will our insurer drop us?
Not necessarily, but renewal will be more demanding. An insurer that paid for you will want to see precisely what you've changed since — not a promise, evidence: new technical posture, reinforced training, independent audit, revised response plan, documented tests. Some markets may withdraw; others may stay with higher premium and conditions. Factero has experience with post-incident renewals: we precisely document the delta between your posture at the incident and your posture today, prepare the file demonstrating maturation. Often, a well-prepared post-incident renewal leads to better coverage than before — because the incident forced real modernization.
What standards do you use to assess our cyber posture?
Factero uses the NIST Cybersecurity Framework (NIST-CSF) as the primary framework — also the language most insurers understand. Technical controls are evaluated against market-expected practices (MFA, privilege management, EDR, tested offline backups, response plan, training, vendor management). As needed, we also draw on ISO 27002, the Trust Services Criteria (for clients with or targeting SOC 2), or CAN/DGSI 104 (for SMEs targeting CyberSecure Canada in parallel). The principal associate holds the CISA certification — the international reference in information systems auditing. What matters in the cyber insurance context is translating your posture into language the insurer recognizes as credible — not imposing an esoteric framework.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. Information exchanged — insurer questionnaires, gap analyses, audit reports, broker exchanges — remains strictly within our engagement, in accordance with our privacy protection policy and Law 25 requirements. Materials transmitted to your broker or insurer are shared under your control and with your explicit approval.
Does this commit us to ongoing work?
No. The engagement ends with the issued policy (or the decision not to take it, which sometimes happens). For annual renewals, some organizations prefer to keep us on a light cadence — a few hours before each deadline to adjust the file. Others internalize after the first cycle, often when a compliance lead or vCIO is in place. Our Charter of Independence prohibits creating artificial dependency. If your team can take over, that's a good outcome.
Why Factero for this engagement — what sets you apart?
Before signing with a firm on this type of engagement, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing. The firm itself is certifiedFactero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you in cybersecurity should, by consistency, hold one itself. Incorporated and established since 2022Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca). Complete team and operational continuityFactero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A structuring engagement extends over several months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person. Professional liability and cyber insuranceFactero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing. Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets. Public procurement registrationFactero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations. These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Our advice remains independent. See our Charter of Independence.

Related services

IT Audit Backup Testing and Recovery Readiness Law 25 Compliance See more

Need to move forward on this?

Let's discuss your specific situation. No commitment, just expert advice.
Talk to an expert