Cyber Insurance Guide
CanadaUnderstand cyber insurance coverage, policy types, and what Canadian insurers require.
Before You Talk to a Broker
In Canada, cyber insurance is sold by licensed brokers. Verify your broker is licensed in your province before signing anything:
- Ontario: FSRA (Financial Services Regulatory Authority of Ontario) · 1-800-668-0128
- Quebec: AMF (Autorité des marchés financiers) · 1-877-525-0337
- British Columbia: BCFSA (BC Financial Services Authority) · 1-866-206-3030
- Alberta, Saskatchewan, Manitoba, Atlantic Canada: Insurance Bureau of Canada can direct you to the right provincial regulator.
Coverage Types Explained
| Coverage Type | What It Covers | SMB Relevance |
|---|---|---|
| Business Interruption | Lost income during downtime | High — avg 21 days downtime |
| Data Recovery | Cost to restore destroyed data | High — can cost $10K–$500K |
| Cyber Extortion | Ransom payment + negotiation | High — SMBs are primary targets |
| Notification Costs | Legal/notification costs for breach victims | High — mandatory under PIPEDA and provincial laws |
| Network Security Liability | Claims from exposed customer data | Medium |
| Regulatory Defense & Fines | Fines, penalties, defense costs | Medium — PIPEDA, PHIPA, Law 25, PCI-DSS fines may be covered |
| Crisis Management / PR | Reputation repair, public relations | Medium — often overlooked |
| Social Engineering / BEC | Losses from fraudulent wire transfers | High — often has sublimit, common in Canada |
| Media Liability | Defamation, IP infringement online | Low for SMBs |
| Reputation Harm | Lost customers post-breach | High — rarely fully covered |
| Privacy Breach Response (Canada) | OPC notification, credit monitoring, breach coach | High — Canadian-specific coverage |
| System Failure Coverage | Outages not caused by an attack (cloud, ISP, power) | Medium — sometimes excluded |
Coverage Amount Guidance
Micro (1–4 employees): Recommended $500K–$1M
Small (5–99 employees): Recommended $1M–$2M
Medium (100–499 employees): Recommended $2M–$5M
Key Questions to Ask a Broker
- What is the sublimit for ransomware payments? (Often capped at 25–50% of the total limit in Canada.)
- Is social engineering / BEC / wire fraud covered? (Often a separate sublimit.)
- Is there a waiting period before business interruption kicks in? (Common: 8–24 hours.)
- What security controls are prerequisites? (MFA, EDR, immutable backups are now standard in Canada.)
- Does coverage apply to cloud (AWS, Azure, M365) and Canadian data residency?
- What is excluded? (Nation-state attacks, unpatched known vulnerabilities, pre-existing incidents.)
- Are regulatory defense costs and PIPEDA / provincial privacy fines covered?
- Is there a panel of Canadian incident response firms and breach counsel, or do I choose?
- What is the retroactive date and how long do I have to report an incident after the policy expires?
- Does the policy cover costs of notifying the OPC, provincial privacy commissioners, and affected individuals?
- Is the broker licensed in my province? (Verify with FSRA in Ontario, AMF in Quebec, BCFSA in BC, etc.)
- What is the claims process and average turnaround time for advance payments?
Canadian Privacy Law & Insurance
Failing to meet Canadian privacy law obligations can void your coverage. Know which laws apply:
- PIPEDA (federal) — applies to most private-sector commercial businesses. priv.gc.ca
- PHIPA (Ontario) — personal health information. ipc.on.ca
- Law 25 (Quebec) — strictest in Canada. Privacy officer mandatory. cai.gouv.qc.ca
- PIPA (Alberta & BC) — provincial private-sector privacy laws. oipc.ab.ca / oipc.bc.ca
- CASL (Canada's Anti-Spam Legislation) — all commercial email and text messages. fightspam.gc.ca
Insurance Readiness Check
Self-score against the 9 carrier baseline controls.
Application Checklist
Walk through the 12 questions every carrier asks before you contact a broker.
Downtime Cost Calculator
Quantify the cost of an incident to justify your premium budget.
Board-Ready Report
Print-ready brief for the executive team or board.