Cyber Insurance for Small Business Canada: Cost, Coverage & How to Qualify

Why Canadian SMBs Can No Longer Skip Cyber Insurance

Three things changed between 2020 and 2026 that pushed cyber insurance from optional to essential for Canadian small businesses. First, ransomware operators professionalised: they now offer 24/7 victim support portals, negotiate in English and French, and accept cryptocurrency payments in under an hour. The Canadian Centre for Cyber Security's 2023–2024 National Cyber Threat Assessment identifies ransomware as the most disruptive cyber threat facing Canadian organizations and explicitly names SMBs as frequent targets because they typically have weaker defences than large enterprises but still hold sensitive customer data and financial records worth compromising.

Second, regulatory exposure now compounds breach costs. PIPEDA's mandatory breach reporting, active since 2018, requires the Office of the Privacy Commissioner to be notified of any breach posing a "real risk of significant harm." Quebec's Law 25, fully in force since September 2023, adds a hard 72-hour CAI notification deadline and personal fines for privacy officers. A breach that costs CA$120,000 to remediate technically can simultaneously generate a CA$25,000 OPC investigation, a CA$50,000 class-action retainer, and a Law 25 penalty that starts at CA$15,000 for a first offence. None of those costs appear in the remediation invoice.

Third, the commercial general liability (CGL) policy most SMBs rely on explicitly excludes cyber events in its standard exclusion clauses. Courts in Ontario, BC, and Quebec have consistently upheld these exclusions. A 2022 Ontario Superior Court ruling confirmed that a CA$400,000 business interruption loss from a ransomware attack against a Mississauga logistics company was not covered under the company's CGL policy. The owner assumed he was covered — a belief that cost him more than a decade of cyber insurance premiums.

IBM Security's 2024 Cost of a Data Breach Report measured the average total Canadian breach cost at approximately CA$6.7 million across all sizes. For SMBs, realistic recovery costs from a ransomware event alone — forensics, downtime, legal fees, customer notification, and IT rebuilding — commonly run CA$80,000 to CA$500,000 before any ransom is considered. Coveware's 2024 Q4 report puts the median ransomware demand against SMBs at US$200,000. A CA$2,000/year policy with a CA$1 million limit is not a luxury for a 15-person accounting firm. It is the difference between surviving an incident and closing.

First-Party vs. Third-Party Cyber Coverage Explained

Understanding the distinction between first-party and third-party coverage is the most important structural concept in a cyber insurance policy, because the sub-limits for each bucket are often negotiated separately and the default splits may not match your actual risk profile.

First-party coverage pays your own organization's costs when a cyber event occurs — regardless of whether any third party makes a claim against you. The core first-party categories are:

• Incident response and forensics: The cost of the IR firm that identifies what happened, which systems were accessed, and what data was exposed. For a 20-person firm, a thorough forensic investigation runs CA$15,000–$80,000.
• Business interruption: Lost revenue and extra expenses (renting temporary equipment, emergency IT labour) during the period your systems are unavailable. Policies specify a waiting period (typically 8–24 hours) before the clock starts and a restoration period cap (often 90–180 days).
• Ransomware response: Negotiation fees paid to a specialist negotiating firm and, if unavoidable, the ransom payment itself (up to the policy sub-limit). Most insurers require documented proof that decryption from backup was attempted and failed before authorizing a payment.
• Data recovery: Costs of reconstituting corrupted or destroyed data from backups or other sources — distinct from the ransom payment and distinct from business interruption.
• Crisis communications: PR firm costs and breach notification expenses — letters to affected individuals, credit monitoring services, call centre setup. In Canada, PIPEDA notification costs and Quebec CAI reporting obligations fall here.
• Cyber extortion: Threats to publish stolen data or attack systems unless paid. This is distinct from encrypting ransomware: the extortionist may never have encrypted anything but holds sensitive client lists or financial records.

Third-party coverage responds when another party makes a claim against your business arising from a cyber event — most commonly clients whose data you held and which was compromised. Key third-party categories:

• Network security and privacy liability: Claims by customers, employees, or business partners alleging you failed to adequately protect their personal information. This is the primary coverage for post-breach class-action exposure under PIPEDA or Law 25.
• Regulatory defence and fines: Legal fees defending an OPC investigation or CAI complaint, and the penalties themselves where insurable under Canadian law. Note: not all provincial laws permit insurance against regulatory fines — confirm with your broker.
• Media liability: Claims arising from defamation, copyright infringement, or privacy violation through your website or digital communications. Relevant for businesses with active social media or online publishing activities.
• Technology errors and omissions (tech E&O): Claims that a technology product or service you provided failed and caused the client a cyber loss. Critical for IT service providers, SaaS companies, and consultants — most standalone cyber policies for SMBs include a basic tech E&O sublimit, but dedicated technology businesses typically need broader standalone tech E&O coverage.

Most Canadian SMB cyber policies are package policies that bundle both buckets under a single aggregate limit with separate sub-limits per coverage category. A typical CA$1 million aggregate policy might allocate CA$500,000 to first-party and CA$500,000 to third-party, or offer a single aggregate across both. Negotiate sub-limits based on your actual exposure: a professional services firm with hundreds of client files stored in Microsoft 365 has very different third-party exposure than a retail shop whose cyber risk is primarily POS system downtime.

What Cyber Insurance Excludes: The Gaps That Surprise Business Owners

Most SMBs learn about cyber insurance exclusions during the claim process — which is the worst possible time. The standard exclusions in Canadian cyber policies as of 2026 are:

• Acts of war and nation-state attacks: The Lloyd's of London war exclusion update (2023) rippled through the London Market capacity that underwrites a significant share of Canadian commercial cyber. Attacks attributed to nation-states — Russia, China, North Korea, Iran — may be excluded. This is a live dispute in claims from the NotPetya era and several 2024 healthcare incidents in Canada where attribution was asserted by the government. Read the war exclusion language carefully: some policies exclude only direct government-ordered attacks; others exclude any attack attributed to a state-sponsored actor.
• Bodily injury and property damage: A cyber event that causes physical harm — a compromised SCADA system at a water plant, a hacked medical device, a fire triggered by a compromised building management system — is not covered by a cyber policy. That exposure falls under general liability or specialist OT insurance.
• Infrastructure failures: If your ISP goes down, your cloud provider has an outage, or the electrical grid fails and you cannot access your systems, that is not a cyber event under most policy definitions. The outage must be caused by a covered cyber event affecting your specific environment.
• Unencrypted data on lost or stolen devices: If a laptop containing unencrypted personal health information is stolen from a car, the resulting PIPEDA notification and legal costs may be excluded — or covered under a much lower sublimit — if your policy required device encryption as a condition of coverage and you had no documented encryption policy. This is one of the most common reasons small professional services claims are disputed.
• Intentional acts and insider fraud: An employee who deliberately exfiltrates data or sabotages systems is excluded from cyber coverage. Employee crime and fidelity bonds cover that exposure. Cyber policies cover unauthorized external access or accidental employee errors — not deliberate insider misconduct.
• Prior incidents and known vulnerabilities: A vulnerability your IT team knew about, flagged in a previous security assessment, and did not remediate is treated as a known risk at policy inception and may be excluded. This is why maintaining a documented vulnerability register and showing remediation activity is important not just for security but for claims defensibility.
• Social engineering and funds transfer fraud: Wire transfer fraud — an employee is tricked by a fake invoice or CEO impersonation email and sends CA$85,000 to a fraudster — sits at the intersection of cyber, crime, and social engineering policies. Many cyber policies include a social engineering or BEC sublimit (often CA$100,000–$250,000) that is lower than the main limit. Some policies exclude it entirely unless you add a specific BEC rider. Confirm this coverage explicitly given that CAFC logged over CA$59 million in verified BEC losses in Canada in 2022.
• OFAC and OSFI sanctions violations: Paying a ransom to an entity on OFAC (US Treasury) or OSFI sanctions lists exposes you to regulatory penalties — and some insurers now include a clause that voids ransom payment coverage if the recipient is a sanctioned entity. Negotiation before any payment is essential, and the insurer's specialist negotiator typically handles sanctions screening.

Cyber Insurance Premiums in Canada: 2026 Cost by Revenue and Sector

Canadian cyber insurance premiums hardened significantly in 2021–2022 following a wave of ransomware losses, then partially stabilized in 2023–2024 as underwriters improved their security requirements and higher-risk accounts were either declined or pushed to surplus lines markets. By 2026, a well-controlled SMB — documented MFA, EDR, tested backups — can obtain competitive pricing. A business with weak controls pays a significant surcharge or cannot obtain coverage at standard market rates.

The premium ranges below are illustrative 2026 market estimates for Canadian SMBs from brokers including BFL Canada, Gallagher, Intact, and Coalition. Actual quotes depend on your specific controls documentation, revenue, claims history, and the insurer's current appetite for your industry sector. Always obtain a minimum of three quotes.

Deductibles are a meaningful lever. Most SMB policies default to CA$10,000–$25,000 deductibles, which keeps premiums in the ranges above. Accepting a CA$50,000 deductible can reduce premiums by 20–35% for businesses that have sufficient cash reserves to self-insure the first tier of a small incident. Conversely, requesting a CA$2,500 deductible inflates premiums substantially. Many financial advisors recommend matching your deductible to your accessible operating reserve — not to the point where a small claim forces you to drain emergency funds before the insurer responds.

The Underwriting Process: How Insurers Assess Your Risk

Cyber insurance underwriting in Canada changed fundamentally between 2020 and 2023. The pre-pandemic era of one-page applications asking "do you have a firewall?" is over. Modern underwriting combines a detailed security questionnaire with external scanning of your publicly exposed infrastructure — and some insurers run automated scans of your domain before the underwriter even reads your application, flagging open RDP ports, unpatched web servers, or expired SSL certificates as immediate underwriting concerns.

A standard 2026 Canadian cyber insurance application for a CA$1M–$5M revenue business typically runs 8–25 pages and asks specifically about:

• MFA deployment percentage across all user accounts, with separate questions for privileged/admin accounts and remote access
• Endpoint security platform name and version, with confirmation it covers 100% of devices including remote workers
• Backup frequency, offsite storage method, last confirmed restore test date, and whether backups are immutable and segmented from production
• Patch management policy, including time-to-patch for critical CVEs and coverage of third-party applications
• Employee security training frequency and whether phishing simulations are run
• Number of records containing personal information, by category (PII, PHI, payment card data)
• Whether you use remote desktop protocol (RDP) exposed directly to the internet — this is an automatic decline trigger at many insurers
• Your incident response plan and whether it has been tested in the past 12 months
• Any prior cyber incidents in the past five years, including unreported incidents you are aware of

Misrepresenting your security controls on the application is grounds for voiding the policy at claim time — and Canadian courts have upheld insurer rescissions in such cases. The standard of "material misrepresentation" in Canadian insurance law means any false statement that a prudent insurer would have considered in deciding to offer coverage or set the premium. If you claim 100% MFA deployment but a forensic investigation reveals several privileged accounts without MFA, the claim is at risk regardless of how the breach occurred. Accuracy in the application is not just an ethical obligation; it is the foundation of your claims defensibility.

MFA and Endpoint Security: Non-Negotiable Underwriting Requirements

Multi-factor authentication is the single most scrutinized control in Canadian cyber underwriting. The reason is straightforward: compromised credentials — stolen via phishing, credential stuffing, or dark-web purchases — are the initial access vector in a significant majority of ransomware and BEC incidents. MFA blocks more than 99% of automated credential-based attacks (Microsoft threat intelligence, 2024). An insurer accepting a business without MFA is essentially insuring a car with no locks.

As of 2026, the MFA standard required by most Canadian cyber insurers is:

• MFA on all cloud email accounts (Microsoft 365, Google Workspace) — no exceptions for any role
• MFA on all remote access methods: VPN, Remote Desktop, Citrix, or any other remote-access solution
• MFA on all privileged and administrator accounts, enforced at the identity provider level (not optional)
• Authenticator app or hardware key preferred; SMS-based MFA accepted at most insurers but flagged as a weakness (SIM-swap vulnerability)
• Some insurers now specifically exclude accounts with only SMS-based MFA from their "MFA deployed" count and surcharge for them

Businesses that cannot demonstrate complete MFA deployment are either declined standard market coverage or face 50–150% premium surcharges. The practical path: enable Microsoft 365 Security Defaults or configure Conditional Access with MFA for all users before submitting any insurance application. For a step-by-step MFA rollout, see the MFA deployment guide for Canadian businesses.

Endpoint detection and response (EDR) is the second non-negotiable control. By 2025, most major Canadian cyber insurers added EDR to their mandatory-or-surcharge questionnaire. The distinction from legacy antivirus is important: insurers specifically ask whether your endpoint security platform performs behavioral analysis and can contain (isolate) a compromised device automatically, not merely whether you have antivirus installed. Microsoft Defender for Endpoint (included in Microsoft 365 Business Premium at CA$26.30/user/month), SentinelOne Singularity, and CrowdStrike Falcon are the platforms named-checked most favourably in insurer guidance documents. "Windows Defender" (the free consumer version) is not equivalent and is frequently flagged. For a comparison of Canadian SMB endpoint options, see the cybersecurity guide.

Backup, Training, and Additional Underwriting Requirements

After MFA and EDR, the underwriting checklist extends to four additional areas that directly affect your premium and whether a claim will be paid:

Tested, immutable backups. Insurers learned from the wave of 2020–2022 ransomware claims that attackers specifically sought out and destroyed or encrypted backup copies before triggering visible ransomware. Policies written for businesses with no tested backup procedure or with backups on the same network as production data resulted in maximum-limit claims because the insured had no alternative to paying the ransom or rebuilding from scratch. By 2026, standard application language asks whether your backups are: (1) automated and run at minimum daily; (2) stored offsite or in cloud storage isolated from your main environment; (3) immutable or air-gapped so they cannot be modified by a compromised account; and (4) restore-tested within the past 12 months with documented results. Failing any of these typically triggers a coverage sublimit reduction on the ransomware response section. For the full backup framework, see the backup and disaster recovery guide.

Security awareness training. Most insurers include security awareness training as a preferred or required control for accounts above CA$5M revenue, and several SMB-focused programs (Coalition, At-Bay) offer premium discounts of 5–15% for documented annual training with simulated phishing. The ask is modest: a platform-delivered annual training module covering phishing recognition and BEC red flags, plus evidence you ran at least two phishing simulations in the past 12 months. CIRA's 2023 Canadian Internet Security Report found only 34% of Canadian SMBs with fewer than 250 employees provided any security training in the past year — a gap that directly affects their risk profile and premium.

Patch management. Most applications ask whether your patch policy applies Critical vulnerabilities within 30 days and whether patch status is actively monitored across all endpoints. Some insurers scan for known unpatched CVEs against your public-facing IP addresses as part of automated underwriting — an unpatched Exchange server or a vulnerable VPN appliance visible on your external IP is flagged before a human underwriter sees your application.

No exposed RDP. Remote Desktop Protocol exposed directly on port 3389 to the internet is an automatic decline trigger at virtually every standard market Canadian insurer. RDP is the number one initial access vector for ransomware in Canada according to multiple years of CCCS incident data. If your team uses RDP for remote access, it must be behind a VPN with MFA — not exposed directly. This change must be implemented before applying.

How a Cyber Insurance Claim Works: Step-by-Step

Most cyber insurance claims are mishandled in the first 12 hours — not because the insured made bad decisions, but because they did not know the rules of engagement. The sequence below applies to the majority of Canadian SMB cyber claims in 2026 and is based on standard Canadian policy language and incident response practice.

1. Call the breach hotline first — before anything else. Every cyber policy includes a 24/7 breach response hotline. Call it before you engage any IT firm, before you wipe any device, and before you pay anything. Vendors engaged before insurer approval are typically not reimbursed. Write the hotline number in your incident response plan and on the inside cover of your paper policy binder — you will not be able to calmly search for it at 2 AM during an active incident.
2. Do not wipe or rebuild affected systems. Preservation of forensic evidence is a policy condition in most contracts. Wiping a server to "get back up faster" destroys the forensic timeline the IR firm needs to determine scope — which in turn may void coverage for costs the insurer cannot validate. Place affected systems in an isolated state (disconnect from the network) and wait for IR firm instructions.
3. The insurer deploys a panel IR firm. Insurers maintain approved panels of incident response firms — often Mandiant, Arctic Wolf, Secureworks, or a Canadian specialist. The IR firm takes containment control. Your internal IT team supports but does not lead. If you have a preferred IR firm not on the panel, negotiate panel approval before an incident occurs — do not try to negotiate during one.
4. Parallel: begin regulatory clock management. While IR is underway, start the regulatory notification clock. PIPEDA requires OPC notification "as soon as feasible" — the OPC interprets this as days, not weeks. Quebec's Law 25 requires CAI notification within 72 hours of confirming a confidentiality incident poses risk of serious injury. Your legal counsel and the insurer's coverage counsel (often deployed immediately) coordinate these filings. Regulatory penalties for late reporting accrue daily.
5. Document all costs from the first hour. Keep a running log of every person-hour, every vendor invoice, every piece of replacement hardware, every overtime payment. The IR firm generates its own documentation, but your internal labour costs and business interruption losses require your own records. Business interruption calculations depend on documented revenue — pull the past 12 months of revenue records immediately.
6. Ransomware decision point (if applicable). If the attacker has encrypted your systems, the insurer's negotiator assesses whether paying accelerates recovery faster than restoring from backup. If verified immutable backups exist and restoration time is known, the insurer typically directs restoration over payment. If no usable backup exists, the negotiator engages the attacker, performs sanctions screening, and manages the payment process within the policy sub-limit.
7. Post-incident: improve the controls that failed. The IR forensic report will identify the initial access vector and lateral movement path. Use this to close the gaps. Some insurers now include post-incident control improvement requirements as a condition of renewal — failure to implement documented remediation can affect your next renewal premium or result in non-renewal.

Three Canadian SMB Claims Scenarios

The following scenarios are illustrative composites drawn from publicly reported incident patterns, CCCS advisories, and Canadian insurance industry case studies. They are anonymized and representative, not accounts of specific companies.

Scenario 1: Accountancy firm, Ottawa, 18 staff. A staff accountant clicked a phishing link in a spoofed CRA email, entering their Microsoft 365 credentials on a fake login page. The attacker used the stolen credentials to access the firm's SharePoint, exfiltrating 11,000 client tax files over four days before deploying ransomware that encrypted the local file server and two workstations. The firm had no MFA on Microsoft 365 (had been "meaning to enable it"), no EDR (running Windows Defender consumer), and backups stored on a NAS drive connected to the same network — which the ransomware also encrypted. The firm had a cyber policy purchased the prior year. The insurer's forensic team confirmed the NAS backup was unusable. Total covered costs: CA$287,000 — forensics (CA$62,000), ransom payment (CA$95,000 equivalent after negotiation from a US$240,000 demand), legal fees and OPC filing (CA$38,000), customer notification (CA$52,000), IT rebuild (CA$40,000). The claim paid in full. However, the renewal premium increased by 180%. Had MFA been enabled, the stolen credentials would not have provided access to Microsoft 365. Had the backups been immutable and offsite, the ransom would not have been necessary.

Scenario 2: Manufacturing firm, Hamilton, 45 staff. An attacker exploited a 14-month-old vulnerability in an unpatched VPN appliance (CVE published and actively exploited, patch available) to gain network access, spending 22 days moving laterally before triggering ransomware against 6 servers. The company had MFA on Microsoft 365 but not on the VPN. EDR was deployed and did generate alerts on day 3 and day 9, but the alerts were not monitored — the firm's IT generalist was on vacation and alerts routed to his personal inbox. Business interruption lasted 17 days at estimated revenue impact of CA$380,000. The cyber policy paid: forensics (CA$78,000), IT rebuild (CA$155,000), business interruption (CA$220,000 against a CA$250,000 sub-limit), legal (CA$44,000). Total paid: CA$497,000 of a CA$1M limit. The insurer accepted the claim but noted in writing that the unmonitored alert pattern indicated a failure of security governance — which was referenced in the renewal underwriting. Key lesson: EDR alerts must be monitored. Deploying the software without a monitoring arrangement is not equivalent to having a working security control.

Scenario 3: Dental clinic group, Montréal, 3 locations, 22 staff. A BEC attack impersonated the clinic group's equipment supplier — the attacker had compromised the supplier's email and sent a realistic invoice for dental equipment with updated banking details. The office manager processed a CA$67,000 payment to the fraudster's account before the real supplier followed up on a late payment. The clinic had a cyber policy with a social engineering/BEC sublimit of CA$100,000. The insurer paid CA$67,000 (the full loss, below the sublimit). The claim process took 11 weeks and required a police report and sworn statement. The clinic also filed under Law 25 because the attacker had accessed the supplier's system, which held the clinic's contact and banking relationship information. The CAI notification was filed within 72 hours. Key lesson: BEC/social engineering coverage exists but carries its own sublimit — confirm it when buying the policy, and verify it is meaningfully sized relative to your payment volumes.

Comparing Canadian Cyber Insurers and Brokers

The Canadian cyber insurance market is accessed through specialist brokers (who place policies with multiple insurers) and through insurer-direct programs for smaller accounts. The landscape includes standard domestic carriers, London Market capacity through Lloyd's syndicates, and newer "insurtech" carriers that automate underwriting for SMBs. Key differences matter for SMBs beyond the premium headline.

Canadian brokers specializing in cyber for SMBs include BFL Canada, Gallagher Canada, Hub International, Aon Canada, and Marsh Canada — all of whom access multiple markets and can compare policy language, not just premium. For micro-businesses under CA$1M revenue, regional brokers affiliated with the Insurance Brokers Association of Canada (IBAC) and an understanding of automated underwriting platforms are often more practical than engaging a national specialty brokerage.

How to Choose the Right Cyber Insurance Policy for Your Business

Premium is the least important variable when comparing cyber policies. Two policies with identical premiums can have coverage differences worth CA$200,000 in a ransomware scenario because of sublimit structure, waiting period language, or definitions of "computer system" that do or do not include cloud services. The checklist below covers what to evaluate when comparing quotes:

• Does the policy cover cloud-hosted data? Many SMBs store everything in Microsoft 365, Google Workspace, or an ERP system. "Computer system" definitions that focus on hardware you own may not explicitly include cloud environments. Confirm in writing.
• What is the ransomware sublimit vs. the aggregate? Some policies have a ransomware sublimit at 50% of the aggregate limit. If your aggregate is CA$1M but ransomware is capped at CA$500,000, a CA$350,000 ransom plus CA$250,000 in IR and downtime exceeds your effective coverage. Negotiate the sublimit or accept a higher premium for a full-limit ransomware endorsement.
• What is the business interruption waiting period and calculation method? The waiting period (8, 12, or 24 hours before BI coverage starts) matters — most incidents involve at least 48 hours of disruption. The calculation method (actual revenue loss vs. normalized revenue) matters even more. Request the calculation formula and model it against a realistic downtime scenario for your business.
• Is social engineering / BEC covered, and at what sublimit? A CA$50,000 BEC sublimit on a CA$1M policy is inadequate if your firm processes supplier payments in the CA$100,000–$300,000 range. Most major incidents of BEC fraud against Canadian professional services firms fall in the CA$50,000–$500,000 range.
• Are panel IR firms available in your city and in French? For a Montreal-based business, verify that the insurer's incident response panel includes firms with French-language capability and Quebec regulatory expertise. Law 25 CAI filings and Quebec-specific legal exposure require local knowledge.
• Does the policy cover regulatory fines and penalties, and under which laws? Confirm PIPEDA OPC penalties are covered. For Quebec businesses, confirm Law 25 CAI penalties are included — not all policies explicitly name Law 25 given its recent full implementation.
• What is the war exclusion language, and how is "nation-state attack" defined? The Lloyd's war exclusion update created ambiguity that several Canadian claims have tested. Ask for the specific exclusion language and how the insurer has handled disputed attributions in practice.
• What security controls are warranted vs. preferred? Warranties (conditions precedent to coverage) are controls you must maintain throughout the policy term — failure voids coverage. Preferred controls only affect your premium. Understand which category your MFA, backup, and EDR controls fall under. If MFA is a warranty, an account discovered without MFA at claim time could void the policy.

Cyber Insurance and Canadian Regulatory Compliance

Cyber insurance and regulatory compliance interact in four important ways that Canadian SMB owners frequently misunderstand.

Insurance does not replace compliance. Having a cyber policy does not satisfy PIPEDA's requirement for "appropriate security safeguards." The OPC assesses whether your security controls were reasonable given the sensitivity of the data you held — an insurer paying your breach costs does not retroactively validate your security program. The controls required to obtain cyber insurance (MFA, EDR, tested backups, patch management) are largely the same controls the OPC considers as demonstrating reasonable care. Implementing them serves both purposes simultaneously.

The 72-hour clock is your hardest deadline. Quebec's Law 25 mandates CAI notification within 72 hours of confirming a confidentiality incident poses a risk of serious injury. PIPEDA requires OPC notification "as soon as feasible" — in practice within a few days. These deadlines run concurrently with your IR team's investigation, your ransomware negotiations, and your customer notification preparation. Your incident response plan must include these deadlines and the specific contact information: OPC breach reporting portal at priv.gc.ca and CAI at cai.quebec.ca. The insurer's coverage counsel typically assists with coordinating these filings, but the obligation is yours as the data controller. For the full regulatory compliance framework and its interaction with Law 25, see the Law 25 compliance guide.

Customer notification costs are a predictable expense. PIPEDA requires notification to affected individuals when a breach poses a real risk of significant harm. For a 20-person accounting firm with 3,000 client files, notification can mean 3,000 letters, a call-centre script, and potentially credit monitoring services for 12 months. At CA$5–$15 per notification, that is CA$15,000–$45,000 in notification costs alone — well within the first-party coverage bucket of a standard cyber policy. Confirm the per-person notification cost sublimit in your policy; some policies cap this at CA$25 per notification, which is below actual Canadian credit-monitoring service rates.

Sector overlays: healthcare, financial services, and government contractors. Ontario's PHIPA (Personal Health Information Protection Act) imposes additional breach reporting obligations for health information custodians — Ontario dentists, clinics, and pharmacies have specific IPC reporting requirements distinct from PIPEDA. OSFI Guideline B-10 on third-party risk management affects federally regulated financial institutions and their suppliers. Federal government contractors under PSPC IT security requirements may have mandatory cyber insurance provisions in their contract — verify your contract language before assuming minimum coverage applies. These sector-specific requirements typically require higher coverage limits and specific policy endorsements not present in a standard SMB form.

Preparing Your Business to Qualify: A Pre-Application Checklist

Before contacting a broker, use this checklist to assess your current state against standard Canadian underwriting requirements. Items marked as mandatory are virtually certain to be required; items marked as preferred will reduce your premium if documented.

• [Mandatory] MFA enabled on 100% of email accounts — Microsoft 365 Security Defaults or Conditional Access, Google Workspace 2-Step Verification; no opt-outs for any role
• [Mandatory] MFA on all remote access: VPN, Remote Desktop, any cloud management consoles
• [Mandatory] MFA on all administrator and privileged accounts, enforced at the identity provider
• [Mandatory] No RDP port 3389 exposed directly to the internet — must be behind VPN+MFA
• [Mandatory] EDR or equivalent deployed on 100% of endpoints (not consumer Windows Defender)
• [Mandatory] Automated daily backups to an offsite or isolated destination
• [Mandatory] Documented backup restore test within the past 12 months with confirmed recovery
• [Preferred] Immutable or air-gapped backup copy (object lock, tape, cloud with delete protection)
• [Preferred] Critical/High CVE patches applied within 30 days, documented by patch compliance report
• [Preferred] Security awareness training in the past 12 months with documented completion
• [Preferred] Phishing simulation run in the past 12 months
• [Preferred] Written incident response plan populated with current contacts and tested by tabletop
• [Preferred] DMARC configured at p=quarantine or p=reject on your primary email domain
• [Preferred] Network segmentation with IoT and guest Wi-Fi isolated from staff network

If you cannot check all Mandatory items today, prioritize them before submitting applications. A business that implements all Mandatory controls is typically able to obtain standard market coverage at the premium ranges in the table above. Each Preferred item you can document in writing reduces your premium incrementally and strengthens your claims position if an incident occurs. For managed implementation of the controls on this list, the managed IT services guide covers provider selection for Canadian businesses.

Frequently Asked Questions