External Audit Reveals Cyber Insurance Gaps and Control Weaknesses
The Challenge
In April 2025, Monarch National, one of Canada’s largest multiline insurers, underwent what was expected to be a routine external cybersecurity audit. Instead, the auditors uncovered systemic weaknesses that exposed the company to both regulatory and financial risk. The review revealed inconsistent access management, missing control documentation, and outdated incident response protocols across several business units.
More critically, Monarch’s cyber insurance policy was outdated and failed to reflect its current threat landscape. Coverage exclusions left the company exposed to ransomware, data theft, and operational downtime. The decentralization of IT governance had allowed each department to maintain its own controls without centralized oversight, resulting in gaps in both protection and accountability. While no breach was detected, the audit identified historical anomalies in intrusion logs that had gone uninvestigated, an alarming sign that internal reviews lacked consistency and depth.
Executives were surprised to learn that many assurance statements given to investors were based on unverified assumptions rather than validated controls.
Our Solution
Our firm was retained to help Monarch overhaul its cybersecurity governance and align its insurance coverage with operational realities. We began by mapping all cybersecurity controls, policies, and system interdependencies across the enterprise. Missing documentation was recreated, and access management frameworks were standardized under a centralized governance model.
Working with a specialized insurance broker, we analyzed potential loss scenarios including ransomware disruption, data exfiltration, and extended downtime to recalibrate coverage limits and exclusions. The board established a cybersecurity oversight committee with cross-departmental authority to ensure consistent policy enforcement. Compliance dashboards were developed to provide real-time visibility into audit results, control maturity, and residual risk.
To strengthen accountability, Monarch integrated cybersecurity performance into executive KPIs and implemented an annual independent audit cycle. These reforms shifted the organization from reactive compliance to active assurance.
The Value
The transformation restored investor confidence and improved Monarch’s standing with regulators. The new governance structure provided unified oversight, clear accountability, and continuous visibility across all business lines. The updated insurance policy now accurately reflects the company’s risk exposure, ensuring coverage for modern cyber threats and minimizing financial uncertainty.
Auditors praised Monarch’s proactive reforms, noting that its integrated control environment could serve as a model for the broader financial services industry. By grounding governance in evidence rather than assumptions, Monarch moved from theoretical assurance to measurable resilience.
Implementation Roadmap
1. Map all cybersecurity controls and system dependencies
2. Centralize governance across all departments and standardize access management
3. Reassess cyber insurance policies with updated risk models
4. Implement real-time compliance dashboards and audit tracking
5. Establish an annual independent cybersecurity audit cycle tied to executive KPIs
