What You'll Learn
Here's the short version: if you're a Canadian business counting on your commercial general liability policy to respond after a data breach, ransomware attack, or privacy incident, you're almost certainly wrong. CGL was built for a world of slip-and-fall claims and advertising injury — not encrypted servers and stolen customer records.
This isn't a broker being cautious. This is how the coverage forms actually work. The triggers, definitions, and exclusions in a standard CGL policy don't map onto the losses that cyber events produce. And every renewal cycle, insurers are making that mismatch more explicit by adding cyber exclusions to non-cyber policies.
Why GL doesn't cover cyber losses
Commercial general liability insurance responds to specific triggers: bodily injury, property damage, and certain categories of personal and advertising injury. These are physical, tangible harms — a customer slipping on a wet floor, a delivery driver backing into a storefront, a competitor claiming you copied their ad.
Cyber losses don't work that way. When a business gets hit with ransomware, the damage isn't a dented wall or a broken arm. It's encrypted data, interrupted operations, stolen credentials, extortion demands, and regulatory obligations to notify affected individuals. None of those fit the CGL trigger structure.
Cyber losses that CGL almost never covers
- Data breach notification costs: Legal review, forensic investigation, customer notification, credit monitoring — all financial, none bodily injury or tangible property damage.
- Ransomware extortion payments: Paying a criminal to decrypt your systems is a financial transaction, not a liability event.
- Business interruption from system outage: Lost revenue because your network is down doesn't trigger CGL business interruption coverage, which requires physical damage.
- Privacy regulatory fines and investigations: PIPEDA investigations and provincial privacy commissioner inquiries don't map to CGL defence obligations.
- Third-party privacy liability: Customers suing you for exposing their personal information is a privacy claim, not a personal injury claim under CGL's standard definition.
- Social engineering / funds transfer fraud: An employee wiring money to a criminal's account after a spoofed email is a financial crime loss, not a CGL event.
The issue isn't just that CGL doesn't list cyber as a covered peril. It's that the fundamental architecture of the form — the triggers, the definitions of property damage, the exclusions around electronic data — was designed for a pre-digital risk landscape. A CGL policy defines "property damage" as physical injury to tangible property or loss of use of tangible property. Data isn't tangible property under most Canadian CGL forms. That means the core coverage mechanism never engages.
Real Canadian claim denial patterns
You don't need to imagine how this plays out. Canadian businesses have been learning the hard way for years.
Case: Retailer hit with business email compromise
A mid-sized Canadian retailer's controller received an email that appeared to be from the company's real vendor, requesting updated banking details for invoice payments. Over $180,000 was wired to a fraudulent account over three transactions before anyone noticed. The business filed a claim under its CGL policy. The insurer denied the claim: the loss was financial, not tied to bodily injury or tangible property damage. The crime policy didn't help either — it covered employee dishonesty, not external social engineering. The business absorbed the full loss.
Case: Professional services firm suffers ransomware
An Ontario consulting firm with 45 employees was hit by ransomware that encrypted client files, project databases, and email archives. The ransom demand was $95,000 in Bitcoin. The firm submitted a claim under its commercial package, which included CGL and property coverage. The property insurer pointed to an electronic data exclusion. The CGL insurer noted no bodily injury or property damage trigger. The firm ultimately paid the ransom out of pocket and spent another $120,000 on forensic recovery, system rebuild, and client notification — none of it insured.
Case: Medical clinic data breach
A British Columbia medical clinic discovered that patient records had been accessed by an unauthorized party through a compromised employee email account. Under PIPEDA, the clinic was required to report the breach to the Office of the Privacy Commissioner and notify affected patients as soon as feasible. Notification costs, legal fees, and credit monitoring for over 3,000 patients exceeded $75,000. The clinic's CGL carrier denied the claim — privacy breach response wasn't covered property damage or personal injury under the form. A standalone cyber policy would have covered these costs entirely.
These aren't edge cases. They're the pattern. Businesses assume coverage exists because they have "liability insurance." But CGL liability and cyber liability are fundamentally different risk categories with different triggers, different definitions, and different claims responses.
What standalone cyber insurance actually covers
A dedicated cyber insurance policy is built specifically for the losses that CGL, property, and crime forms miss. It doesn't rely on physical damage triggers or tangible property definitions. It responds to the actual harms that digital incidents cause.
Core cyber insurance coverages
- First-party breach response: Forensic investigation, legal counsel, notification costs, credit monitoring, call centre support, and public relations expenses.
- Business interruption: Lost income and extra expenses when a cyber event interrupts your operations — triggered by system outage, not physical damage.
- Ransomware and extortion: Ransom payments, negotiation costs, and data recovery expenses resulting from a cyber extortion event.
- Third-party privacy liability: Defence costs and damages if customers, partners, or regulators pursue claims related to a data breach or privacy violation.
- Regulatory response: Costs of responding to investigations by the Office of the Privacy Commissioner of Canada or provincial privacy regulators.
- Network liability: Claims arising from failure to prevent the transmission of malware or unauthorized access to third-party systems.
- Social engineering / funds transfer: Financial losses from business email compromise, vendor fraud, and other social engineering schemes (often a sublimit or optional endorsement).
The structural difference matters. Cyber policies are designed so that the existence of a cyber event is the trigger, not a physical harm. That's the entire point. When your systems are encrypted by ransomware, you don't need to prove someone broke their arm or a building burned down. The cyber incident itself activates coverage.
When GL might suffice vs. when you need standalone cyber
There are businesses with minimal digital exposure where CGL genuinely handles their liability needs. They exist. They're just rarer than most people think.
When CGL alone might be adequate
- Your business operates entirely offline — no customer databases, no online payments, no cloud services, no email-dependent operations.
- You don't collect, store, or process personal information of customers, employees, or partners.
- You have no digital infrastructure that a cyber event could disrupt — no network, no POS systems, no managed IT.
- You don't rely on email for financial transactions, vendor communications, or client correspondence.
For virtually every Canadian business operating in 2026, at least one of those conditions fails. If you use email, store customer data, process payments online, rely on cloud software, or have a managed service provider, you have cyber exposure that CGL was not built to address.
The reality check: most Canadian SMBs need both
A typical Canadian SMB needs CGL for traditional liability — a customer injury on premises, property damage to a landlord's building, product liability. And it needs standalone cyber for everything digital — breach response, ransomware, privacy liability, social engineering. These policies aren't redundant. They cover different risks through different mechanisms. Having one doesn't substitute for the other.
How to decide for your business
The decision isn't abstract. It's specific to what your business actually does with data, technology, and digital infrastructure. Here's how to approach it:
- Map your digital footprint. What data do you collect? Where does it live? Who has access? What systems would be affected by a ransomware attack?
- Check your existing policies for cyber exclusions. Read the actual forms. Look for language about electronic data, cyber events, privacy breaches, and network security. If you see exclusions, you know where the gaps are.
- Estimate your worst-case cyber loss. What would a ransomware attack cost in downtime, recovery, and lost revenue? What would a data breach cost in notification, legal fees, and regulatory response?
- Compare that exposure to your current coverage. If your CGL, property, and crime policies don't respond to those losses, the gap is real.
- Talk to your broker about a standalone cyber policy. Get a quote. Understand the coverage, the exclusions, and the cost. Then decide based on facts, not assumptions.
The cost of standalone cyber insurance for Canadian SMBs typically ranges from $1,000 to $5,000 annually depending on industry, revenue, data volume, and security posture. That's not trivial, but neither is absorbing a $200,000 ransomware loss because you thought CGL had you covered.
Find Out Where Your Coverage Actually Gaps
CyberAgency's Gap Analyzer maps your existing policies against real cyber exposure — so you know exactly where CGL ends and where standalone cyber begins.
Run the Gap AnalyzerEstimate Cyber Insurance Costs
Stop guessing. Start with data.
FAQ
Does general liability insurance cover data breaches in Canada?
No. Standard CGL policies require bodily injury or tangible property damage triggers. Data breaches are privacy and information security events that fall outside those definitions. You need a standalone cyber policy for breach response and privacy liability coverage.
Can I rely on my CGL policy for ransomware losses?
Generally no. Ransomware causes financial loss from system downtime, extortion payments, and data restoration — none of which match the bodily injury or physical property damage triggers in a CGL form. Cyber insurance covers these losses specifically.
Do all Canadian CGL policies now have cyber exclusions?
Most do. The Canadian market has followed global trends toward explicit cyber exclusions in property and liability forms, though wording varies by insurer. Some still rely on definition gaps rather than named exclusions — but the practical result is the same: no cyber coverage.
When might a CGL policy respond to something cyber-related?
In rare cases where a cyber event causes actual bodily injury or physical property damage — for example, if a hacked industrial control system caused physical harm — a CGL form might engage on those specific damages. But the cyber root cause itself would still be excluded.
What should I ask my broker about cyber coverage?
Ask whether your current CGL, property, and E&O policies contain cyber exclusions, whether any cyber coverage exists anywhere in your program, and what a standalone cyber policy would add. Get the answers in writing. If the answer is "I'm not sure," that's your gap.
Sources
- Insurance Bureau of Canada, Cyber Risk and the Canadian Insurance Market (2025).
- Office of the Privacy Commissioner of Canada, What You Need to Know About Mandatory Reporting of Breaches of Security Safeguards under PIPEDA.
- Statistics Canada, Canadian Survey of Cyber Security and Cybercrime (2024 release).
- RIMS, Cyber Risk and the Evolving Property and Casualty Landscape.