What You'll Learn
If you run a small business in Canada and you're reading this to figure out whether you need cyber insurance, here's the honest answer: if you use email, store any customer information, process payments, or rely on cloud software, you almost certainly do. The question isn't whether you have cyber exposure. The question is whether you're going to manage it deliberately or discover it after a loss.
This guide walks through what cyber insurance actually covers, what it costs, how to figure out what you need, and how to buy it without wasting money on the wrong product.
What cyber insurance covers — and what it doesn't
Cyber insurance is built around two categories of loss: first-party (costs you incur directly) and third-party (claims made against you by others). Understanding both is essential to buying the right coverage.
First-party coverage (your direct costs)
- Breach response costs: Forensic investigation to determine what happened, legal counsel to assess obligations, customer notification, credit monitoring, call centre support, and public relations expenses.
- Business interruption: Lost income and extra expenses when a cyber event — ransomware, system failure, network outage — interrupts your operations. This is triggered by the cyber event itself, not physical damage.
- Ransomware and extortion: Ransom payments, negotiation costs, and data decryption or recovery expenses. Some policies also cover the cost of investigating the attack that led to the extortion demand.
- Data recovery and system restoration: Costs to restore or recreate corrupted, encrypted, or stolen data, and to rebuild affected systems.
- Social engineering / funds transfer fraud: Financial losses from business email compromise, vendor impersonation, or other social engineering schemes where an employee is tricked into sending money or data to a criminal.
Third-party coverage (claims against you)
- Privacy liability: Defence costs and damages if customers, partners, or other affected parties sue you over a data breach or privacy violation.
- Regulatory response: Costs of responding to investigations by the Office of the Privacy Commissioner of Canada or provincial privacy regulators, including legal defence and compliance costs.
- Network liability: Claims arising from your failure to prevent the transmission of malware or unauthorized access to third-party systems connected to your network.
- Media liability: Claims related to online content — defamation, copyright infringement, or invasion of privacy in digital media (sometimes a sublimit).
Most standalone cyber policies also include incident response services — a 24/7 breach hotline, access to pre-approved forensic firms, legal counsel specializing in privacy law, and crisis communications support. These services are often more valuable than the financial coverage itself because they give you an expert team the moment an incident occurs.
What cyber insurance typically does NOT cover
- Known vulnerabilities you failed to patch: If you knew about a security gap and didn't fix it, the insurer may deny the claim.
- Intentional acts by the insured: Deliberate data theft or fraud by the business owner or senior management.
- Property damage and bodily injury: Physical harms from a cyber event (like a hacked industrial system causing physical damage) — these may fall under property or CGL.
- Reputational harm without a triggering event: Loss of customers due to negative publicity isn't covered unless it results from a specific insured cyber event.
- Prior acts / known claims: Incidents that began before the policy inception date.
- War and terrorism: Nation-state attacks and acts of war are typically excluded, though the definition is contested in the market.
Typical costs by company size
Cyber insurance pricing in Canada depends on several factors: industry, revenue, number of employees, volume of sensitive data, security controls, claims history, and coverage limits. But here are realistic ranges for what Canadian small businesses can expect to pay:
Cyber insurance cost ranges — Canadian SMBs (2026)
- Micro businesses (1-10 employees, <$1M revenue): $800 – $2,500/year for $1M in coverage. Lower risk profile, minimal data, simple operations. Often available as a streamlined application.
- Small businesses (10-50 employees, $1M-$10M revenue): $2,000 – $6,000/year for $1M-$2M in coverage. More data, more users, more complex systems. Underwriters will ask about security controls.
- Mid-sized businesses (50-200 employees, $10M-$50M revenue): $5,000 – $20,000/year for $2M-$5M in coverage. Expect detailed underwriting, security questionnaires, and potentially control requirements.
- Professional services / financial services: Typically 20-40% above these ranges due to higher data sensitivity and regulatory exposure.
- Healthcare / organizations holding health data: Higher still — health information is the most sensitive personal data category under Canadian privacy law.
These are premium ranges, not quotes. Your actual cost will depend on your specific risk profile. But the numbers are useful for budgeting: for most Canadian SMBs, cyber insurance costs roughly the same as a modest business software subscription — and provides protection that no software can.
How to assess your risk profile
Before buying, you need to understand your actual cyber exposure. Not in theory — in practice. Here's a framework for Canadian SMBs:
Cyber risk self-assessment for Canadian SMBs
- Data inventory: What personal information do you collect, store, or process? Customer names and emails? Payment card data? Health information? Social insurance numbers? The more sensitive the data, the higher the regulatory and liability exposure.
- Data volume: How many records? 500 customer records is different from 50,000. Volume drives notification costs, regulatory attention, and potential liability.
- Data location: Where does it live? On-premise servers? Cloud platforms like Microsoft 365, Google Workspace, or AWS? Third-party SaaS tools? Each location creates different exposure.
- Email dependency: Do you use email for financial transactions, vendor communications, or client correspondence? Business email compromise is the most common cyber loss for Canadian SMBs.
- Payment processing: Do you accept online payments? Process credit cards? Interac e-transfers? Each method creates potential attack vectors.
- IT infrastructure: Do you have an internal IT team, or do you rely on a managed service provider? Do you use multi-factor authentication? Endpoint protection? Backups?
- Regulatory obligations: Are you subject to PIPEDA? Provincial privacy legislation (Alberta PIPA, BC PIPA, Quebec Law 25)? Industry-specific regulations? Each adds compliance requirements after a breach.
- Revenue at risk: If your systems went down for 48 hours, how much revenue would you lose? That's your minimum business interruption exposure.
If you answered yes to three or more of these, you have meaningful cyber exposure that warrants standalone coverage. If you answered yes to five or more, you should consider this urgent rather than optional.
Step-by-step buying guide for Canadian SMBs
The buying process doesn't need to be complicated. Here's a practical path:
- Assess your exposure. Use the self-assessment above or run a tool like CyberAgency's Gap Analyzer to map your cyber risk profile and identify where existing policies fall short.
- Check your current coverage. Read your CGL, property, crime, and E&O policies for cyber exclusions. If the answer is "I don't know," that's your starting point. Ask your broker to confirm in writing what cyber coverage — if any — exists in your current program.
- Determine your coverage needs. Based on your exposure assessment, decide what you need: breach response, business interruption, ransomware, privacy liability, social engineering, regulatory defence. A good broker or a tool like the Cost Calculator can help you set appropriate limits.
- Get multiple quotes. The Canadian cyber insurance market is competitive. Different insurers have different appetites, pricing, and policy wordings. Get at least two or three quotes and compare them on coverage, not just premium.
- Compare the actual policy wording. Don't just compare limits and premiums. Read the insuring agreements, exclusions, conditions, and sublimits. Key things to check: Is social engineering covered or a sublimit? Is ransomware included? What are the conditions for business interruption? What security controls are required?
- Understand the application. Cyber insurance applications ask detailed questions about your security practices. Answer honestly — material misrepresentation can void coverage. If you don't have a control the application asks about, say so. Some insurers will still write the policy; they'll just price accordingly.
- Buy standalone, not an endorsement. For most SMBs with meaningful digital exposure, a standalone cyber policy provides substantially better protection than a cyber endorsement on a package policy. The endorsement is cheaper because it covers less.
- Implement required controls. Many cyber policies require specific security measures — multi-factor authentication, endpoint protection, regular backups, employee training. Implement these before a claim, not after. Non-compliance with warranted controls can void coverage.
Common mistakes to avoid
Mistake 1: Assuming your CGL covers cyber
It almost certainly doesn't. CGL responds to bodily injury and tangible property damage — not data breaches, ransomware, or privacy incidents. We cover this in detail in our article on cyber insurance vs. general liability.
Mistake 2: Buying the cheapest cyber endorsement and calling it done
A $25,000 or $50,000 cyber endorsement on your commercial package is better than nothing, but it's not a cyber insurance strategy. These endorsements typically have narrow triggers, low sublimits, and no breach response services. They're designed to check a box, not to actually protect your business.
Mistake 3: Assuming your cloud provider is responsible
Cloud providers like Microsoft, Google, and AWS invest heavily in security. But their responsibility is for their infrastructure. Your data is your responsibility. Under PIPEDA, your business is the organization that collected the personal information — you're the one with the regulatory obligation to protect it and report breaches. Your cloud provider's terms of service almost certainly disclaim liability for your data.
Mistake 4: Not implementing required security controls
Many cyber policies include warranted conditions — specific security measures the insured must maintain. If you claim you have multi-factor authentication and don't actually enforce it, the insurer can deny your claim. Read the conditions, implement them, and maintain documentation.
Mistake 5: Underinsuring to save premium
A $250,000 cyber policy limit might look reasonable until you're paying $75,000 in breach response costs, $50,000 in lost revenue, $30,000 in legal fees, and facing a regulatory investigation. Use the Cost Calculator to estimate your realistic exposure, and buy limits that match it.
What happens after you buy
Buying the policy is step one. The next steps matter as much:
- Save the breach hotline number. Every cyber insurer provides a 24/7 incident response line. Put it somewhere your team can find it at 2am on a Sunday — because that's when incidents happen.
- Implement the required controls. Don't wait. If the policy requires MFA, endpoint protection, and backups, get them in place and documented.
- Train your team. Most cyber incidents start with a human — clicking a link, responding to a fake email, reusing a password. Employee training is both a security control and, increasingly, a policy condition.
- Review annually. Your cyber exposure changes as your business grows, adopts new technology, and adds customers. Review your coverage limits and terms at each renewal.
- Report incidents immediately. Under PIPEDA, breaches must be reported to the Privacy Commissioner as soon as feasible. Your cyber policy almost certainly requires prompt notification to the insurer as well. Delay can jeopardize both coverage and compliance.
Find the Right Cyber Coverage for Your Business
Start with a clear picture of your exposure. CyberAgency's tools help Canadian SMBs assess risk, identify coverage gaps, and estimate costs — before talking to a broker.
Run the Gap AnalyzerEstimate Your Costs
Data-driven decisions. No guesswork.
FAQ
How much does cyber insurance cost for a small business in Canada?
Typically $1,000 to $5,000 per year for Canadian SMBs, depending on industry, revenue, data volume, security controls, and coverage limits. Very small businesses with minimal digital exposure may pay less; businesses holding sensitive data or operating in high-risk sectors may pay more.
What does cyber insurance actually cover?
First-party costs like breach response, forensic investigation, notification, credit monitoring, business interruption, and ransomware payments, plus third-party costs like privacy liability, regulatory defence, and network liability claims. Most policies also include 24/7 incident response services.
Does my small business need cyber insurance if we use cloud services?
Yes. Cloud providers protect their infrastructure, not your liability for the data you store there. Under PIPEDA, your business is the data collector with the regulatory obligation to protect and report. Your cloud provider's terms of service almost certainly disclaim responsibility for your data.
What's the difference between a cyber endorsement and standalone cyber insurance?
A cyber endorsement adds limited cyber coverage to an existing policy with low sublimits and narrow triggers. Standalone cyber insurance is a dedicated policy with broader coverage, higher limits, and specialized breach response services. Most SMBs with meaningful digital exposure need the standalone version.
How do I file a cyber insurance claim in Canada?
Contact your insurer or broker immediately after discovering an incident. Most cyber policies include a breach hotline for 24/7 incident response. Do not attempt to negotiate with ransomware attackers or notify affected individuals without first consulting the insurer's breach response team.
Sources
- Statistics Canada, Canadian Survey of Cyber Security and Cybercrime (2024 release covering 2023 business impacts).
- Office of the Privacy Commissioner of Canada, What You Need to Know About Mandatory Reporting of Breaches of Security Safeguards under PIPEDA.
- Insurance Bureau of Canada, Cyber Risk and the Canadian Insurance Market (2025).
- Canadian broker and insurer market data on cyber insurance pricing for SMB segments (2025-2026).