Who is responsible for protecting your data in Microsoft 365?
A common assumption is that Microsoft protects your M365 data. The model below shows the actual division of responsibility — your organization always owns the data layer, regardless of which cloud model you use.
What this means for your organization: Microsoft's native retention window for M365 data is 30–93 days. After that window, deleted or ransomware-encrypted data is permanently unrecoverable. A third-party backup is the only way to ensure full protection with point-in-time recovery — exactly what Sunco provides.
IT Support & Cyber Insurance Readiness Audit
Is your IT support actually adequate — and is your cyber coverage at risk because of it?
A complete IT support gap assessment, scored against insurer and industry standards
This audit does two things at once. It evaluates your IT support model — whether internal IT, an MSP, or a combination — against the 6 domains where under-resourced teams are most exposed. And it scores that same posture against the CIS Controls framework that cyber insurers use to set premiums, approve coverage, and decide what gets excluded. Your IT gaps and your insurance exposure turn out to be the same gaps. Every dimension gets a letter grade.
Every gap tells you two things: what it costs, and who should own closing it
Each finding is backed by independent research and shows you the real dollar cost of the gap. You also see whether the gap indicates your current IT support model — internal team, MSP, or MSSP — has the right coverage in place, and which gaps carry the most weight with insurers at renewal or application time.
A complete readiness report delivered to your inbox
When you complete the audit, your full results are emailed as a formatted readiness report. It covers your scored security rating, your annualized financial risk model, your IT investment benchmark comparison, and a support coverage recommendation — showing whether your current IT model has the gaps covered or whether a different structure would better protect the business. Aligned to CFC underwriting criteria throughout.
Readiness Gap Score
0/84
Not Started
SECTIONS
Questions answered
0 of 28
💾You have 0 saved answers from a previous session.
Your Information
Please complete all fields before submitting. This information will appear on your results email and helps Sunco prepare a tailored follow-up.
⚠ Please complete all fields above — Company Name, Address, Contact Name, and a valid Email Address.
Cyber Insurance Readiness Summary
Your security posture scored against the same criteria cyber insurers use to approve, price, and exclude coverage
CYBER INSURANCE READINESS · GAP SCORE ACROSS 6 SECURITY DOMAINS
Gap score out of 84 across 6 security domains. Lower scores mean fewer gaps. Scored against insurer risk criteria.
Grade
—
Your Score
—/84
lower = fewer gaps
Risk Level
Why this assessment matters
Cyber insurers are tightening requirements across Canada — businesses that cannot document basic security controls face higher premiums, stricter exclusions, and increasing risk of coverage denial at renewal. Coalition’s 2025 Cyber Claims Report found that organizations with active security monitoring experience 73% fewer claims than the industry average, with the average cyber incident costing $115,000 CAD. In 2025, initial ransom demands surged another 47% (Coalition 2026 Cyber Claims Report). This assessment scores your IT posture against the same 6 security domains insurers use to approve coverage, set your premium, and decide what gets excluded.
⚡ Your Quick Wins — Start Here
These are the 2–3 changes with the highest impact-to-effort ratio based on your answers. Sunco can address all of them — most within a single engagement session.
Priority Security Gaps
Submit the assessment to see your priority findings.
Ready to see your readiness score?
Answer all 28 questions then click Submit. Security gap ratings and your Cyber Insurance Readiness Score are revealed only after you complete all sections — you cannot predict the outcome in advance. Results and a full summary will be emailed to you and Sunco automatically.
0 of 28 questions answered
Please complete all fields in the Your Information section at the top of the page.
⚠ Please answer all questions before submitting. Scroll up to find any unanswered questions.
Your Cyber Insurance Readiness Level
—
—
— / 84 gapsCyber Insurance Readiness Score
🔒Your full security gap analysis and recommendations are ready — enter your details to unlock.
Unlock Your Full Results
Enter your details below. Your complete Cyber Insurance Readiness report will be revealed instantly and emailed to you and Sunco for follow-up.
⚠ Please enter your name, company, and a valid email address.
Cyber Insurance Score
How your security controls align with insurer requirements
CIS CONTROLS IG1 (Implementation Group 1) · CFC UNDERWRITING ALIGNMENT
Aligned to CIS Controls IG1 & CFC Underwriting Cyber Private Enterprise Application Form CA — the primary frameworks used by Canadian cyber insurers. Organizations seeking NIST CSF or ISO 27001 alignment, contact Sunco.
Grade
—
Your Score
—
/110
SMB Average
52
/110
MSP+MSSP Target
95
/110
✓ Cyber Insurance Readiness Score is automatically included in your emailed results.
Why your CIS score matters to your insurer
CIS Controls IG1 are the 11 foundational security practices every cyber insurer checks before approving a policy. A score below 52/110 — the SMB average — typically means higher premiums, ransomware sub-limits, and social engineering exclusions. A score above 88/110 qualifies for preferred rates and broader coverage. Each control section below shows exactly how your current setup maps to what underwriters require, and the specific questions you will face on your CFC insurance application. Controls mapped to CIS Controls v8 IG1 and the CCCS Baseline SMO framework. Organizations seeking NIST CSF or ISO 27001 alignment — contact Sunco.
Submit the assessment to see your insurance readiness profile.
0–32 (0–39%) — Coverage restricted or denied
33–49 (40–59%) — SMB average — higher premiums & exclusions
50–66 (60–79%) — Insurable — standard rates
67–84 (80–100%) — Preferred — lowest premiums
Submit the assessment to see your full readiness breakdown.
Scoring Methodology & Sources
CIS Critical Security Controls v8 — IG1
Implementation Group 1 defines the 11 essential controls every SMB must have. Each control in this score is weighted by its insurer impact and breach cost reduction. The globally accepted baseline for cyber hygiene.
Canadian Centre for Cyber Security (CCCS) — Baseline Cyber Security Controls for Small and Medium Organizations
The Canadian government's SMB security framework, directly analogous to CIS IG1 and tailored to the Canadian threat landscape. Used as Canadian context for RDP/remote access, network segmentation, and privacy compliance controls in this assessment. The CCCS 2023–2024 National Cyber Threat Assessment identifies ransomware and internet-exposed remote access as the leading threats to Canadian SMBs.
CFC Underwriting — Cyber Private Enterprise Application Form CA
The actual insurance application form used by CFC Underwriting for Canadian cyber insurance policies. Each CIS control in this score maps directly to a question on this form.
CIS / CyberAcuView — Control Assist Framework 2025
A joint initiative aligning CIS Controls IG1 with cyber insurance underwriting questions. Developed with AWS, CrowdStrike, SentinelOne, and Palo Alto Networks. Used to validate the control-to-insurer-question mapping in this score.
Munich Re — Cyber Risk & Insurance Survey 2024
Global survey of decision makers. Found 87% of SMBs are not adequately protected against cyber attacks. Source for the "SMB average" benchmark and sector risk multipliers used in this model.
Hiscox — Cyber Readiness Report 2024
Annual benchmark study across 8 countries and multiple industry sectors. Used to establish the SMB average readiness score of 52/110 and the four readiness tier thresholds applied in this model.
Coalition — 2025 Cyber Claims Report
Published May 2025, covering Canada, US, UK, and Australia. Key findings: organizations with active security monitoring experience 73% fewer claims than the industry average; the average cyber claim across all types costs $115,000 CAD; the average ransomware claim specifically costs $292,000. Used for SOC control value, IRP weighting, and SMB breach cost benchmarks in this model.
Gap score out of 84 across 28 assessment questions. Tier thresholds are calibrated to Hiscox / Munich Re SMB benchmarks: the industry average corresponds to approximately 40–59% gap coverage (33–49 points on this scale); the preferred-rate tier reflects 80%+ controls in place (67+ points). Scores are indicative only and do not constitute a formal insurance assessment or guarantee of coverage.
💡
See Sunco's Recommendations for Your Organization
Based on your assessment results, we've prepared a tailored package recommendation that aligns Sunco's service tiers to your identified gaps.
Sunco Cybersecurity Packages
Standalone security tools & licences — works alongside your existing IT team or MSP
Based on Your Assessment
Your assessment shows your IT support model has reasonable coverage in place. The gaps driving your insurance exposure are in cybersecurity controls — not IT operations. These standalone packages close those gaps and work directly alongside your current team without replacing anything.
Complete the assessment to see your recommendation.
ℹ
These packages provide security tools and licences only — your existing IT team or MSP manages deployment and operations. Add full managed IT services on top of any package — 24/7 monitoring, patch management, help desk, and incident response. Book a conversation →
Sunco Package Recommendation
Based on Your Assessment
Based on your responses across all 6 assessment areas, here is how Sunco's service tiers align to your identified gaps — and the package we recommend as the right starting point for your organization.
Complete the assessment to see your personalized recommendation.
Financial Risk
What unmanaged IT exposure costs your business annually
UNMANAGED IT RISK MODEL · BREACH & PRODUCTIVITY COST ESTIMATES
Why this model matters
Most SMBs underestimate IT risk because they only see the cost of managing IT — not the cost of not managing it well. VikingCloud’s 2025 SMB Threat Landscape Report found that 1 in 5 small businesses could not survive a breach costing as little as $10,000. The median ransomware payment alone hit US$115,000 in 2024 — and that figure doesn’t include downtime, staff lost hours, client notification, or reputational fallout (Verizon DBIR, 2025). This model estimates what your business is currently exposed to annually across three areas: the probability and cost of a cyber breach at your revenue level, the productivity cost of slow or unresolved IT issues across your workforce, and the reputational risk that follows a significant incident. The model compares your exposure against the benchmark cost of a managed IT partnership — so you can see the gap in concrete dollar terms.
✓ Financial Risk Model is automatically included in your emailed results.
How to use this model
Select the option in each dropdown that best fits your organization. Use estimates if you don't have exact figures — the model is designed to give directional accuracy, not accounting precision. Five inputs drive the calculation: your employee count, annual revenue, average hourly wage, internal IT staffing, and how you currently manage IT security. Once all inputs are set, your annualized risk estimate and MSP spend comparison will calculate automatically below.
Adjust the inputs below to reflect your organization's profile. The model estimates the annualized financial exposure of operating without a managed IT partner — across cyber risk, lost productivity, and reputational cost — and compares it against industry benchmark MSP spend.
Organization profile
Used to estimate productivity loss from slower issue resolution
Drives IT budget benchmarks and reputational risk estimate
Used to calculate staff downtime cost during a cyber incident
IT team members (full-time equivalent) including shared resources
Include salary, benefits, training, tools & certifications
Number of seats covered by your current managed IT provider
Typical Canadian SMB MSP rates: $100–$175/user/month for full-stack managed services
70%
Industry avg: 60–70% reactive for in-house teams without MSP. Time not spent on strategic projects.
Adjusts breach probability and IT spend benchmarks to your sector
Where You Stand vs. Industry — IT Spending
Based on your revenue and sector, the benchmarks below show what well-protected organizations at your size typically spend. Enter your actual IT budget to see exactly where you stand.
📊 Industry benchmark
Total IT Spend Everything: staff + tools + MSP + MSSP
—
4–5% of revenue (Gartner 2025)
—
🛡️ MSP services
Managed IT Services 24/7 monitoring, helpdesk, patching
—
1.5% of revenue (CompTIA 2024)
—
🔒 MSSP security
Managed Security SOC, EDR, dark web, incident response
—
0.8% of revenue (Gartner 2025)
—
Internal IT Staff — Fully-Loaded Cost
Salary, benefits, training, certifications, tools · $90–130K/yr/person in Canada
Industry avg
—
your cost
—
Current MSP — Annual Cost
Based on your monthly MSP fee × 12
—
your current spend
Total IT Delivery Cost (staff + MSP)
What you currently spend to maintain IT operations
—
per year
Select a range to see your spending position vs. sector benchmark
Your Spending Position vs. Sector Benchmark—
Under-investing
On Track
Well Protected
0%← Benchmark →2× benchmark
📊
Calculating…
📊 Sector benchmark
What peers your size spend
—
—
💼 Your budget
Your actual IT spend
—
—
△ Difference
Gap vs. benchmark
—
—
IT Investment
Is your technology spend keeping pace with peers? Based on your revenue, sector, and actual IT budget vs. Gartner 2025 & CompTIA 2024 benchmarks
Enter your actual IT budget above to see your peer comparison score.
Bottom 25%
Under 2.5% of revenue
High risk
Mid 50%
2.5–4.5% of revenue
Average
You
Enter budget above
—
Top 25%
Above sector benchmark
Well-protected
Note: VikingCloud 2025: 1 in 5 SMBs could not survive a breach costing as little as $10,000 — your spending position is a direct indicator of business survival risk. Gartner 2025: top-quartile SMBs spend 5–7% of revenue on IT vs. a bottom-quartile average of 1.5–2.5%.
Risk assumptions — adjust to your context
3×
How much slower is a single shared technician vs. an MSP team? (1× = same speed, 4× = four times slower)
6
Email outages, VPN issues, access problems, software failures, etc.
30%
Industry avg for unmanaged SMBs: 30–40%. Managed with MSP+MSSP: 8–15%.
48h
Managed orgs recover in ~8–16h. Unmanaged municipalities: 48–240h is common.
Complete your profile above to see your risk estimate
Select an option in each dropdown in the Organization Profile section — your annualized financial exposure will calculate automatically once all inputs are set.
Cyber incident exposure (probability-weighted)
$0
Lost productivity from slower issue resolution
$0
Reputational & contract risk (estimated)
$0
Total annualized risk exposure — no MSP
vs. MSP + MSSP estimated annual cost: calculating…
$0
Ransom payment + forensics + system rebuild (probability-weighted, Coveware 2024/2025)$0
VikingCloud — 2025 SMB Threat Landscape Report
SMB-specific threat research. Key finding: 1 in 5 small businesses could not survive a breach costing as little as $10,000. Highlights the acute financial vulnerability of SMBs relative to larger organizations and the disproportionate impact of even minor incidents on business continuity.
Verizon — 2025 Data Breach Investigations Report (DBIR)
Annual breach analysis covering thousands of incidents globally, with a dedicated SMB snapshot. The median ransomware payment for SMBs reached US$115,000 in 2024. Ransomware was present in 88% of SMB breaches. Used for SMB breach frequency and ransomware cost inputs in this model.
Gartner — IT Spending Forecast 2025
Annual worldwide IT spending forecast. 2025 projection: $5.43 trillion, growing 7.9% YoY. Provides SMB IT spend benchmarks (4–6% of revenue) and identifies managed services as the fastest-growing spending category. Used for IT budget benchmark calculations.
CompTIA / Statista — MSP Market Benchmarks 2024
North American managed services market data. Average MSP spend ~$59 USD/employee/month. SMB MSP market growing at 12%+ annually. Source for per-user MSP cost benchmarks and market adoption rates. CompTIA reported 800,000+ unfilled IT positions in North America in 2025.
Ponemon Institute — Public Sector Breach Study 2024
Research on data breach costs specific to government and municipal organizations. Provides the 1.35× sector cost multiplier applied in this model for government clients, reflecting mandatory public notification requirements, legacy infrastructure challenges, and extended detection timelines.
All figures are probability-weighted estimates intended to support a business case conversation — not a formal risk assessment. Costs are scaled by employee count using Coalition 2025 and Coveware SMB benchmark data 250-person SMB dataset baseline and converted to approximate CAD at 2024–2025 average exchange rates. Actual costs vary by incident type, response maturity, and cyber insurance coverage.
Add Financial Risk Estimate?
Takes about 60 seconds — makes your results significantly more impactful
Your results email already includes your security gap score, CFC readiness profile, and package recommendation. The Financial Risk Model adds one more layer — an annualized dollar estimate of your cyber, productivity, and reputational exposure based on your company size and sector.
Why it matters in the sales conversation: Showing a prospect their estimated $240,000 annual exposure alongside their security gaps converts a compliance discussion into a business risk discussion. It gives Sunco a concrete dollar figure to anchor the conversation.
