What is silent cyber in insurance?

Silent cyber refers to cyber-related loss exposure inside policies that were not designed as cyber policies, where coverage is neither clearly granted nor clearly excluded.

Does general liability insurance cover cyber incidents in Canada?

Usually no. Most cyber losses are financial, operational, privacy, or network-security events that do not fit standard bodily injury or tangible property damage triggers in general liability forms.

Why are insurers adding cyber exclusions to non-cyber policies?

Insurers want to remove ambiguity after major disputes such as NotPetya-related claims showed how expensive unintended cyber exposure can become inside property and liability portfolios.

What Is Silent Cyber? Why Canadian Businesses Stay Exposed

What You'll Learn

What silent cyber actually means
Why Canadian businesses are especially exposed
What NotPetya and Merck taught the market
Why GL and property forms usually miss cyber loss
What to check in your own policies now

Silent cyber is one of those insurance phrases that sounds academic right up until a real claim lands on your desk. Then it gets painfully practical.

In plain English, silent cyber means a cyber-related loss may sit inside a policy that was never built to handle cyber risk. The wording does not clearly include cyber coverage, but it also does not clearly exclude it. That ambiguity creates a nasty surprise: businesses assume they are protected because they have general liability, property, crime, or errors and omissions coverage, yet the policy may not respond when the loss is caused by malware, business email compromise, data corruption, or a privacy incident.

For Canadian businesses, that gap matters more than people think. There is no legal requirement to buy standalone cyber insurance just because you store customer information, use cloud software, or process payments. So many small and mid-sized businesses do what feels reasonable: they buy a commercial package, maybe add E&O, and assume cyber is buried in there somewhere. Often, it isn't.

What silent cyber means in practical terms

Silent cyber exists because cyber risk spread faster than traditional policy wording evolved. Older property, liability, and professional lines forms were drafted for fires, theft, bodily injury, negligent advice, and physical damage. They were not built around ransomware extortion, loss of digital assets, notification costs, forensic investigation, or network interruption.

That leaves three possible outcomes after a cyber event:

Explicit cyber coverage: the policy clearly covers specified cyber events.
Explicit cyber exclusion: the policy clearly carves cyber out.
Silent cyber: the policy says neither enough yes nor enough no, so coverage becomes a fight.

From a business owner's perspective, the worst category is often the third one. Clear exclusions are frustrating, but at least you know where you stand. Silent cyber gives false comfort until a claim adjuster, coverage lawyer, or court has to interpret intent after the loss has already happened.

Why Canadian businesses are especially exposed

Canadian SMBs are prime silent cyber candidates for a simple reason: they are digital enough to suffer cyber losses, but not always insured in a way that matches that reality.

A manufacturer in Alberta may rely on email, e-transfer, cloud accounting, and a managed service provider. A professional services firm in Ontario may hold contracts, payroll data, and client financial records in Microsoft 365. A retailer in British Columbia may have POS systems, online bookings, and customer databases. None of these businesses look like "tech companies," but all of them can suffer a serious cyber loss.

Statistics Canada reported that 16% of Canadian businesses were impacted by cybersecurity incidents in 2023. That figure matters because it shows cyber loss is not a niche scenario reserved for multinational giants. It's part of normal commercial risk in Canada now.

Yet many Canadian firms still buy insurance line by line: property for buildings and contents, CGL for slip-and-fall and advertising liability, professional liability for bad advice, crime for employee dishonesty. If nobody deliberately addresses cyber, the business can end up with fragmented protection and dangerous assumptions.

Market lesson: NotPetya made silent cyber impossible to ignore

The 2017 NotPetya malware attack caused massive disruption across global businesses, including Maersk, which publicly described rebuilding thousands of servers and tens of thousands of endpoints after the incident. The event showed how a cyber attack can trigger very real operational and property-style losses even when the damage starts in software.

Merck then became a landmark coverage example. The company pursued recovery under all-risk property policies for more than US$1.4 billion in losses tied to NotPetya. Insurers argued a war exclusion applied; courts rejected that position under the wording at issue, and the dispute later settled. The key lesson for Canadian businesses is not that property insurance is secretly cyber insurance. It is that ambiguous wording around cyber can produce enormous coverage disputes once digital events create physical-world business interruption and restoration costs.

How insurers have responded

Insurers hate ambiguity almost as much as they hate unpriced accumulation. So the market response to silent cyber has been predictable: clarify, restrict, and separate.

Across commercial lines, carriers have been tightening cyber language by:

adding explicit cyber exclusions to property and liability forms;
defining electronic data differently from tangible property;
restricting coverage for system failure, cyber extortion, and data restoration unless bought under a dedicated cyber form;
requiring insureds to buy standalone cyber coverage if they want breach response, ransomware, privacy liability, or network interruption protection.

That's rational from the insurer side. A carrier pricing a general liability policy does not want hidden cyber exposure riding for free in the portfolio. But it also means the old comfort phrase — "we probably have some coverage somewhere" — is getting weaker every renewal cycle.

Why general liability usually does not solve cyber loss

This is the misconception that trips up a lot of otherwise sensible businesses. Commercial general liability is designed around classic liability triggers such as bodily injury, property damage, and certain personal and advertising injury claims. Most cyber losses don't fit neatly into those buckets.

Common cyber losses that GL usually misses

Funds transfer fraud: money sent to a criminal after email impersonation is a financial loss, not bodily injury.
Ransomware downtime: lost income from encrypted systems is usually a cyber business interruption issue, not a standard CGL trigger.
Privacy response costs: legal review, notification, call centres, and forensic work are specialized breach expenses.
Digital asset restoration: rebuilding data or restoring systems often runs into electronic data limitations or exclusions.
Regulatory response: privacy investigations and reporting obligations do not map cleanly to old-school liability forms.

Property insurance usually has a similar problem. Traditional property forms are built for direct physical loss or damage. When the main harm is corrupted data, locked systems, stolen credentials, or interrupted operations, insureds often discover the policy language was never meant to respond the way they hoped.

E&O can help in narrow circumstances if a client sues you for a service failure tied to a cyber event, but even there the result depends heavily on wording, exclusions, and whether technology or privacy liability was actually contemplated.

What Canadian business owners should check in their policies

The fix is not guessing harder. It is reading the actual forms and forcing clarity. If you are renewing now, these are the first things worth checking with your broker or insurer:

Silent cyber review checklist

Cyber exclusion wording: Does your property, CGL, E&O, or crime policy now contain an explicit cyber exclusion or electronic data carve-out?
Funds transfer / social engineering: Is there any dedicated coverage for invoice fraud, vendor impersonation, or business email compromise?
Business interruption trigger: Does loss of income require direct physical damage, or can network outage / system failure trigger coverage?
Breach costs: Who pays for legal counsel, forensics, notification, credit monitoring, PR, and call centre support?
Third-party privacy liability: If customers or counterparties sue over a data incident, which policy responds?
Regulatory obligations: Does any policy help with privacy investigations or defence costs under PIPEDA or provincial regimes?
Ransomware and extortion: Is extortion response covered, excluded, or conditioned on minimum security controls?

If the answer to several of those questions is "I'm not sure," that is the exposure. Insurance programs fail less often because businesses bought nothing, and more often because businesses bought something they misunderstood.

Why this matters for brokers too

Silent cyber is not only a client education issue. It is also a broking issue. Canadian brokers serving SMBs increasingly need to document how cyber exposure was addressed, especially when a client assumes package policies already handle modern privacy, fraud, and network risk. The more the market moves toward explicit exclusions in non-cyber lines, the less defensible it becomes to leave cyber as an implied afterthought.

The smarter approach: separate ambiguity from protection

The right answer is boring, which is usually a good sign in insurance. Businesses should not rely on coverage by accident. They should know:

what cyber exposure they actually have,
which non-cyber policies exclude or limit that exposure, and
whether a standalone cyber policy closes the gap cleanly.

Once you do that, silent cyber stops being a ghost in the wording and becomes a straightforward underwriting problem. That's where it belongs.

See Your Silent Cyber Gaps Before a Claim Does

CyberAgency's Gap Analyzer helps Canadian businesses identify where general liability, property, crime, and cyber coverage do — and do not — line up.

Run the Gap Analyzer

A fast way to turn policy guesswork into something you can actually act on.

FAQ

Is silent cyber good or bad for insureds?

Usually bad. In theory ambiguity can occasionally favour an insured, but in practice it means expensive disputes, delayed claims handling, and no certainty when you need cash and vendors moving quickly.

Can a property policy ever respond to a cyber event?

Sometimes, depending on wording and facts. The Merck dispute showed that legacy property forms can create litigation over cyber-triggered loss. That does not mean businesses should treat property insurance as reliable cyber coverage.

What is the first thing an SMB should do?

Review exclusions and triggers across your package policies, then compare that to what a dedicated cyber form would cover. If no one has done that mapping, you are probably carrying silent cyber exposure right now.

Sources

Statistics Canada, Canadian Survey of Cyber Security and Cybercrime (2024 release covering 2023 business impacts).
Office of the Privacy Commissioner of Canada, guidance on mandatory breach reporting under PIPEDA.
Public reporting and court coverage relating to Merck's NotPetya property insurance dispute and subsequent settlement.
Public reporting from Maersk describing operational recovery impacts following NotPetya.

What Is Silent Cyber — And Why It Leaves Canadian Businesses Exposed