How long do I have to report a cyber insurance claim?

Most Canadian cyber insurance policies require notice 'as soon as practicable' after discovering an incident. Delays beyond 30-60 days can jeopardize coverage. Report immediately to protect your claim.

What does PIPEDA require after a data breach?

Under PIPEDA, organizations must report breaches to the Office of the Privacy Commissioner of Canada and notify affected individuals when there is a 'real risk of significant harm.' Reports must be made as soon as feasible.

How to File a Cyber Insurance Claim in Canada: A Step-by-Step Guide

A cyber incident is stressful enough without fumbling through the insurance claims process. This guide walks you through exactly what to do, in what order, and where Canadian businesses most commonly go wrong.

Step 1: Immediate Response (First 24 Hours)

Before you touch the insurance claim, contain the damage:

Isolate affected systems. Disconnect compromised machines from the network. Don't shut them down — forensic investigators need the volatile memory state.
Preserve evidence. Screenshot error messages, save log files, document what you observed and when. Don't attempt to "fix" anything yet.
Activate your incident response plan. If you have one (and you should), follow it. If you don't, your cyber insurer's breach response team becomes your incident response plan.
Don't communicate externally yet. No public statements, no client notifications, no social media posts until you understand the scope. Premature disclosure can complicate the claim.

Step 2: Document Everything (24-48 Hours)

Insurance claims live and die on documentation. Start a claim file immediately:

Timestamped timeline of events (when did you first detect? what happened next?)
Screenshots of indicators of compromise (unusual login locations, ransom notes, disabled security tools)
Network and system logs covering the incident period
List of potentially affected systems, accounts, and data
Names of employees involved in detection and initial response
Any communications from the threat actor (ransom demands, etc.)

Pro tip: Forward the claim file to a dedicated email address or secure folder so nothing gets lost. Keep the chain of custody clean.

Step 3: Notify Your Insurer (Within 48 Hours)

Most Canadian cyber insurance policies require notice "as soon as practicable" after you become aware of an incident. This is deliberately vague, but in practice means within 24-72 hours. Don't wait until you've completed your investigation.

When you call the claims hotline:

Provide your policy number and business name
Describe what happened in plain language (you don't need technical precision yet)
Explain what data may be affected
Ask for your breach response vendor assignments — most carriers pre-approve forensic firms, legal counsel, and notification services

Important: Don't hire your own forensic firm or breach counsel without insurer approval. Most policies require you to use their vetted vendors. Going rogue can result in denied expenses.

Step 4: PIPEDA Breach Notification Requirements

Canadian businesses have parallel obligations under PIPEDA that run alongside the insurance claim:

Report to the Office of the Privacy Commissioner (OPC)

You must report a breach to the OPC as soon as feasible after determining that it creates a "real risk of significant harm" to individuals. The report must include:

Circumstances of the breach (what happened, when)
Personal information affected (type and volume)
Assessment of the risk of significant harm
Steps taken and planned to mitigate harm
Contact information for a person who can answer OPC questions

Notify Affected Individuals

If the breach poses a real risk of significant harm, you must notify affected individuals as soon as feasible. The notification must include:

Description of the circumstances
What personal information was involved
Steps they can take to protect themselves
What your organization is doing to mitigate the harm
Contact information for someone who can answer questions

Record All Breaches

Even breaches that don't meet the reporting threshold must be recorded and maintained for 24 months. The OPC can request these records at any time.

Your insurer's breach counsel will typically handle OPC reporting and individual notifications — this is one of the key benefits of cyber insurance. Let them do it. They've done it before.

Step 5: Cooperate with the Adjuster

The insurance adjuster will assign a claims handler who specializes in cyber incidents. Cooperate fully:

Provide requested documentation promptly
Allow forensic investigators access to affected systems
Follow the carrier's guidance on external communications
Keep records of all incident-related expenses (these are claimable)
Don't admit liability or make commitments to third parties without adjuster approval

Most cyber claims include coverage for: forensic investigation, legal counsel, breach notification costs, credit monitoring services, business interruption losses, data recovery, and regulatory defence. Your policy's specific coverage schedule dictates what's included.

Step 6: Settlement and Recovery

Cyber claims typically settle faster than traditional liability claims because the costs are more immediate — you need forensic investigators now, not in six months. Expect:

First-party costs (forensics, notification, credit monitoring) paid as incurred during the incident response
Business interruption calculated after the recovery period based on financial records
Third-party claims (customer lawsuits, regulatory fines) resolved over a longer timeline

Common Pitfalls That Kill Claims

After reviewing hundreds of Canadian cyber claims, these are the patterns that cause the most problems:

Delayed notification. Waiting weeks to report because you wanted to "figure it out first." Policies require prompt notice. The adjuster can always figure it out with you — that's what they're there for.
Inadequate documentation. No incident timeline, no preserved logs, no screenshots. You're asking the insurer to take your word for what happened. That's a weak position.
Not understanding the retention/deductible. Cyber policies often have a "waiting period" (like a time-based deductible) before business interruption coverage kicks in. Know what yours is before an incident.
Unauthorized vendors. Hiring your own IT firm or lawyer without insurer approval. The carrier may refuse to pay those costs.
Social media posts. An employee posts about the breach on LinkedIn before the insurer has been notified. This happens more than you'd think.

Review Your Coverage Before You Need It

Our free Gap Analyzer identifies coverage gaps, exclusions, and silent cyber exposure in your current policy.

Analyze Your Policy →

Prepare Now, Not During a Crisis

The best time to understand your cyber insurance claim process is before you need it. Three things to do this week:

Find your policy. Know where it is, who the carrier is, and what the claims hotline number is. Save it in your phone.
Run the Gap Analyzer. Make sure your policy actually covers the incidents you're most likely to face.
Update your incident response plan. Include the insurer notification step, vendor pre-approval requirements, and PIPEDA reporting obligations.

When a breach happens, you won't have time to figure this out. Do it now.