Family Day weekend is approaching. The ski hills are at their peak - Sunshine, Norquay, or Lake Louise depending on your tolerance for traffic - and the NHL trade deadline is taking shape. Also taking shape: the third consecutive year of mid-market cyber-insurance renewals that ask for evidence the carrier didn't ask for last year. The cyber underwriting profession has gotten patient and detailed, which is the polite way of saying it has gotten more expensive to be unprepared.
The patterns from carriers' 2027 mid-market questionnaires - and what they reveal about how cyber risk is being underwritten for the next deal you'd buy.
(Three Calgary operators I know have already been through 2027 renewals. The pattern is consistent enough that I am willing to bet on the answer to your renewal question before you ask it.)
The pattern is consistent across industries. Mid-market operators with documented controls and rehearsed response programs are getting renewals at flat or slightly down pricing. The ones without are seeing 30 to 80 percent increases, or non-renewal. The middle ground has narrowed.
What underwriters now look at
The control evidence, not the control claim. Saying "we have multi-factor authentication" is no longer accepted at face value. The 2027 questionnaires ask for evidence of MFA coverage across specific account categories - email, VPN, privileged access, third-party SaaS - with the percentage covered and the exception list. The exception list is what underwriters look at hardest. Operators who can show 100% coverage with documented exceptions for specific business reasons get one treatment. Operators with informal exceptions or unknown coverage get another.
Backup posture, with evidence of restoration testing. "We back up" is now insufficient. The questionnaire asks whether backups are immutable, how often restoration is tested end-to-end, and what the documented recovery time objective is by system tier. Operators who can produce restoration test reports from the last six months are in a different category than those who can't.
Vendor concentration and third-party access. This category is the one that's getting the biggest underwriting weight in 2027. Carriers want to know which vendors have privileged access into your environment, what their security posture is, and how you'd respond if one of them was compromised. Operators with informal answers here are being treated as higher risk regardless of their own posture.
The M&A diligence connection
The same questions show up in M&A diligence, asked by the buyer's insurance underwriters before they will bind a tail policy on the target. Several deals in 2026 either re-priced or didn't close because the target's cyber posture made the buyer's policy too expensive. This dynamic accelerated in early 2027.
For sellers, this means: if you are heading toward an exit, the work to clean up cyber posture should be done six to nine months ahead, not in the diligence window. The evidence has to exist and be testable, not assembled in response to questions. The first time an underwriter sees a control that was implemented last week, the assessment changes.
For buyers, this means: the cyber due diligence step that used to be a checklist is now an underwriting prerequisite. Worth getting your own insurer involved in evaluation early, so the deal economics reflect the actual cost of insuring the combined entity, not the cost of insuring the buyer alone.
The two-year horizon
The trajectory is clear. By 2028, cyber underwriting at the mid-market will look much closer to how property insurance is underwritten: specific controls, specific evidence, specific exclusions. The operators who built the documentation discipline early will benefit. The ones who keep treating this as an annual questionnaire exercise will find the cost continues to rise faster than the broader market.
This is becoming an operational discipline question, not a procurement question. Treat it accordingly.
This issue of the Operator's Brief is operator pattern recognition from Vencer Group's work with mid-market businesses across industries and geographies. Not industry-specific advice. Read accordingly.
Notes & Methodology
About these figures: Industry data on this page is either from named external sources cited inline with what each report measured, or from Vencer Group estimates derived from observations across recent client engagements - framed explicitly with "approximately" or "(Vencer Group estimate)" so the basis is visible. Vencer's own operating data (transaction count, breach record, tenure, transaction value) is drawn from Vencer's record.
Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min Strategy Review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.
→ Book the 30-min review