Cyber Insurance in Canada: What Your Policy Actually Covers, Why Claims Get Denied, and What Underwriters Now Require

The City of Hamilton paid years of cyber insurance premiums. When a ransomware attack on February 25, 2024, disabled roughly 80 percent of its network and disrupted city services for weeks, Hamilton submitted a claim against its cyber policy. The insurer denied it — citing the city's failure to fully implement multi-factor authentication across the affected systems, contrary to what the application had indicated. A third-party legal review confirmed the denial was within policy terms. The full CA$18.3 million cleanup bill landed on taxpayers. (Global News, July 2024) (CBC News)

The lesson is not that cyber insurance is worthless. It is that cyber insurance in 2026 functions less like a warranty and more like a compliance audit with a financial backstop. When forensic investigators find that the controls you attested to on your application were not in place when the incident occurred, the policy does not pay.

For Canadian SMBs deciding how much to invest in cyber coverage — and how to make sure it actually pays when needed — understanding the mechanics matters more than ever.

The Coverage Gap Leaving Most Canadian Businesses Exposed

Statistics Canada's 2023 survey of Canadian businesses found that only 22% carried cyber risk insurance — up from 16% in 2021, but still leaving approximately four in five businesses without coverage. (Statistics Canada, Impact of Cybercrime on Canadian Businesses, 2023) For small businesses specifically, the rate is lower still.

The exposure that insurance is meant to cover is not small. IBM's *Cost of a Data Breach Report 2025* put the Canadian average breach cost at CA$6.98 million — a 10.4% increase year-over-year. (IBM Cost of a Data Breach Report 2025 – Canada) The CIRA 2025 Cybersecurity Survey found that 43% of Canadian organizations were hit by a cyberattack in the preceding 12 months, with the steepest increases concentrated in the small-business cohort. (CIRA 2025 Cybersecurity Survey)

The market for coverage is growing fast regardless: Canada's cyber insurance market is currently valued at approximately USD $590 million and projected to reach USD $1.14 billion by 2030 at roughly a 14% compound annual growth rate. (Mordor Intelligence, Canada Cyber Insurance Market, 2025) The market is not growing because risk is declining — it is growing because uninsured losses are becoming undeniable.

What Cyber Insurance Actually Covers

Canadian cyber policies typically provide two categories of protection.

First-party coverage pays for direct costs your business incurs from a cyber incident:

• Business interruption losses — revenue lost during a system outage (most policies require 8–12 hours of continuous downtime before this coverage activates)
• Ransomware extortion payments — the ransom itself if you choose to pay, plus professional negotiation costs
• Forensic investigation — engaging a qualified incident response firm to identify the breach source, scope, and attacker dwell time
• Data recovery costs — restoring systems and data from backups, or rebuilding from scratch
• Crisis communications and public relations — managing reputation during and after an incident
• Legal counsel — specialized cyber lawyers engaged the moment an incident is declared

Third-party coverage addresses claims from customers, partners, or regulators:

• Privacy liability — claims from individuals whose personal data was compromised
• Regulatory fines and penalties — some policies cover penalties levied under PIPEDA or provincial privacy laws, subject to sublimits
• Network security liability — claims arising from your systems inadvertently harming a third party

What most policies do not cover:

• Incidents arising from known, publicly disclosed vulnerabilities that were unpatched before the policy was issued
• Losses from assets explicitly excluded in the schedule of covered systems
• Business interruption losses from outages shorter than the policy's waiting period
• Events falling under a cyber war exclusion (actively contested after recent state-linked incidents)

The Insurance Bureau of Canada has specifically flagged that SMEs systematically underestimate their cyber risk exposure and frequently assume that existing general commercial liability or business interruption policies cover cyber events — when they typically do not. (IBC, SMEs underestimate cyber risks, 2025) Reading the exclusions before signing is not optional.

The Underwriting Application Is Now a Security Audit

The cyber insurance application of 2019 was a half-page questionnaire. The 2026 version runs to 20–40 detailed questions covering specific controls. A growing number of carriers now supplement the application with an independent external attack surface scan — checking your publicly visible infrastructure for unpatched systems, exposed remote access ports, and misconfigured services — before offering terms. Self-attestation is no longer the end of the conversation.

Controls that virtually every Canadian insurer now requires as a condition of coverage:

For a typical Canadian SMB with fewer than 50 employees and under $5 million in revenue, annual premiums for a $1–2 million limit policy currently range from roughly CA$1,500 to CA$6,000, depending on industry, revenue, the volume of personal records held, and documented security posture. (Roughley Insurance, Cyber Insurance Cost Canada) Businesses with stronger documented controls qualify for lower rates and fewer exclusions. Businesses that cannot demonstrate baseline controls may be denied coverage entirely — or offered a policy with exclusions that eliminate protection for the most likely incident types.

Why Claims Get Denied — and the Pattern Behind the Denials

Hamilton is the most publicly documented Canadian example, but the underlying pattern — attesting to controls on the application that were not fully in place at the time of an incident — is consistent across insurer forensic reports.

Incomplete MFA is the leading denial trigger. An organization states that MFA is enabled across all remote access. Forensic investigation finds a service account, a legacy VPN gateway, or an administrative portal without MFA configured. The attacker used precisely that gap. The claim is denied for material misrepresentation.

Late breach notification. Most Canadian cyber policies require the insurer to be notified within 48–72 hours of a suspected breach. Organizations that investigate internally before notifying the insurer may find that the delay triggers a coverage exclusion. The insurer's incident response team is also part of the response process — calling them early is both a contractual obligation and operationally useful.

Undocumented controls. A business may have implemented reasonable security measures but cannot produce documentation demonstrating they were in place before the incident. Written policies, system screenshots, and vendor invoices for security tools all serve as evidence. Verbal assurances are not.

Post-application control lapse. Coverage is issued based on conditions described at application time. If an EDR subscription lapses, an employee disables MFA for convenience, or a backup schedule is paused during a system migration, the policy terms may no longer be met — even though premiums were paid throughout.

The Canadian Centre for Cyber Security's *National Cyber Threat Assessment 2025–2026* documents the threat environment that makes these controls non-optional: ransomware-as-a-service operations, AI-assisted phishing campaigns, and automated vulnerability scanning have all lowered the barrier to attack. (CCCS NCTA 2025–2026) The controls insurers require are, largely, the same controls the CCCS recommends. That alignment is not a coincidence.

The PIPEDA Obligation That Insurance Does Not Eliminate

A cyber insurance policy covers costs. It does not eliminate legal obligations.

Under PIPEDA, any security safeguard breach involving personal information of Canadians that poses a real risk of significant harm triggers mandatory obligations regardless of insurance status, incident outcome, or whether a ransom was paid:

1. Report the breach to the Office of the Privacy Commissioner of Canada — with specifics about the personal information involved, how the breach occurred, and what remediation is underway.

2. Notify affected individuals directly — so they can take protective action before harm occurs.

3. Maintain records of every breach — including those below the reporting threshold — for a minimum of 24 months under PIPEDA's record-keeping requirement. (Office of the Privacy Commissioner of Canada, PIPEDA Breach Reporting Guidance)

For businesses operating in Quebec or serving Quebec residents, Law 25 imposes an additional obligation: the Commission d'accès à l'information must be notified within 72 hours of determining a breach occurred — a tighter and explicitly time-bound requirement than PIPEDA's "as soon as feasible" standard. Most Canadian SMBs serving customers in multiple provinces should build their incident response runbook to the Law 25 timeline, since it is the more demanding of the two.

Cyber insurance policies with third-party coverage typically pay for the legal costs of PIPEDA breach response: external privacy lawyers, breach notification services, call centre setup for affected individuals, and credit monitoring. That coverage is valuable. It does not make the reporting obligation optional, and it does not pause the 72-hour Quebec window while you decide whether to file a claim.

A Pre-Renewal Checklist for Canadian SMBs

Before completing a cyber insurance application — or approaching a renewal — work through this list:

The Canadian cyber insurance market is maturing — more carriers, more competitive pricing, and more products tailored to specific industries and revenue bands. But the claims process has also professionalized. The forensic investigators retained by insurers are thorough, and the application is a legal document. The businesses that get full value from their policy are the ones that treat the application as a security review, document their controls before they need them, and engage the insurer's incident response team at the moment of a suspected breach — not after they have decided it is a real incident.

The City of Hamilton had insurance. The controls gap cost them CA$18.3 million. The lesson is not to avoid insurance — it is to deserve the coverage you are paying for.

Sources

• Statistics Canada. *Impact of Cybercrime on Canadian Businesses, 2023.* statcan.gc.ca
• IBM Security. *Cost of a Data Breach Report 2025 – Canada.* canada.newsroom.ibm.com
• CIRA. *2025 Cybersecurity Survey.* cira.ca
• Mordor Intelligence. *Canada Cyber (Liability) Insurance Market Size & Report Analysis, 2030.* mordorintelligence.com
• Global News. *Ontario city facing full $18.3M cyberattack bill after insurer denies claim, July 2024.* globalnews.ca
• CBC News. *Insurance won't cover $5M in City of Hamilton claims for cyberattack, citing lack of log-in security.* cbc.ca
• Insurance Business Canada. *SMEs underestimate cyber risks, leaving gaps in insurance protection: IBC.* insurancebusinessmag.com
• Roughley Insurance. *Cyber Insurance Cost Canada.* roughleyinsurance.com
• Canadian Centre for Cyber Security. *National Cyber Threat Assessment 2025–2026.* cyber.gc.ca
• Office of the Privacy Commissioner of Canada. *What you need to know about mandatory reporting of breaches of security safeguards.* priv.gc.ca
• Insurance Bureau of Canada. *Trends affecting Canada's cyber insurance market.* ibc.ca

Cyber insurance is one layer of a complete risk management posture — but only if the underlying controls match what your application says. Cloud Forces helps Canadian SMBs implement and document the security controls that underwriters require: MFA across all entry points, EDR deployment and monitoring, tested backup architectures, and written incident response plans. Get the coverage right before you need it. Explore our Cybersecurity services or book a free security posture review.