5 Cyber Insurance Myths Canadian SMBs Still Believe

"We're Too Small to Be Targeted"

This is the single most dangerous cyber insurance myth in Canada. Here's the reality:

• 43% of all cyberattacks target small businesses (Verizon DBIR)
• Automated attacks don't discriminate by company size — they scan for vulnerabilities
• SMBs are actually preferred targets because they typically have weaker security and no incident response capability
• The average cost of a Canadian SMB data breach is $79,000

Attackers don't care about your revenue. They care about your vulnerabilities. If you have an internet connection, you're a target.

"Our General Liability Covers Cyber"

This used to be somewhat plausible. Not anymore.

• Modern GL policies include explicit cyber exclusions
• GL covers bodily injury and property damage — not data breaches, ransomware, or digital events
• The Insurance Services Office (ISO) has published standardized cyber exclusion endorsements that most Canadian carriers now use
• Even older GL policies without explicit exclusions are being interpreted narrowly by courts

Your GL policy almost certainly does not cover cyber events. Check for exclusion language about "electronic data," "cyber," "network," and "digital."

"Our IT Team Handles Security, So We Don't Need Insurance"

IT security and cyber insurance solve different problems. One prevents incidents; the other pays for the aftermath when prevention fails.

• 95% of cybersecurity incidents involve human error — no IT team can fully prevent that
• Cyber insurance covers costs IT can't: legal defence, regulatory fines, breach notification, business interruption, and ransomware payments
• The average time to identify a breach is 194 days (IBM). That's 6+ months of undetected exposure.
• Third-party vendor breaches (which IT can't control) affect 54% of organizations

IT reduces risk. Insurance covers the remaining exposure. You need both.

"Cyber Insurance Is Too Expensive"

Let's do the math for a typical Canadian SMB (10-50 employees):

• Cyber insurance cost: ~$1,000-$3,000/year for $1M coverage
• Average breach cost: $79,000
• Ransomware payment: $50,000-$500,000+ (and rising)
• Business interruption: Average 21 days of downtime after a ransomware attack

That's $83-$250/month for coverage that would cost $79,000+ to use. The ROI is straightforward.

Cyber insurance costs less per month than most businesses spend on coffee. A single incident without coverage can be existential.

"We Don't Use AI, So AI Coverage Doesn't Matter"

You almost certainly do use AI, even if you don't think of it that way.

• Microsoft Copilot is embedded in Office 365 — if your team uses Word, Excel, or Outlook, they have access to AI
• Google Workspace includes Gemini AI features
• CRM systems (Salesforce, HubSpot) include AI-powered features
• Accounting software (QuickBooks, Xero) uses AI for categorization and fraud detection
• Customer service tools (chatbots, automated email responses) are AI-powered

If any employee in your organization has used ChatGPT for work — even once — your business has AI exposure. And your current insurance probably doesn't cover it.

AI risk isn't about building AI systems. It's about using them. If your business touches AI in any way, you need AI-aware coverage.