Canadian cyber insurance coverage overview
Canadian cyber insurance covers financial losses from cyber incidents under federal and provincial legislation dominated by PIPEDA (Personal Information Protection and Electronic Documents Act), Quebec's modernised Law 25, and sector-specific requirements like OSFI for financial institutions. Coverage splits into first-party (your direct costs) and third-party liability (claims from others), with strong emphasis on breach notification, regulatory defence, and cross-border incident management given Canada's proximity to the US.
First-party coverage: your direct costs
First-party coverage reimburses your organisation's immediate incident response and recovery expenses.
- Incident response and forensic investigation: Professional investigation, breach containment, emergency support, and root cause analysis. Typically covered up to CAD$75Kβ$300K depending on policy size.
- Data recovery and system restoration: Costs to restore systems from backups, recover lost data, rebuild infrastructure, and return to normal operations.
- Business interruption losses: Compensation for lost revenue while systems are down and operations cannot continue. Includes emergency overtime and expedited recovery. Sub-limits typically range CAD$150Kβ$1.5M.
- PIPEDA breach notification costs: Notifying affected individuals as required by PIPEDA Section 4.1.3 and related provincial laws. This is a significant first-party cost and typically sub-limited to CAD$75Kβ$300K.
- Quebec Law 25 notification: For incidents affecting Quebec residents, Law 25 requires notification without unreasonable delay. Coverage includes notification costs, credit monitoring, and public notice expenses.
- Credit monitoring and identity theft protection: Providing affected individuals with credit monitoring, identity theft resolution, and fraud prevention services as required by breach notification laws.
- Regulatory investigation and defence: Legal fees to respond to investigations by Privacy Commissioners at federal and provincial levels, including compliance officers' inquiries and subject access request handling.
- Public relations and crisis communications: Professional services for media response, customer communications, and reputation recovery following a high-profile breach.
- Ransomware-related costs: Coverage for incident response, recovery, and business interruption from ransomware. Ransom payments are often excluded or strictly limited.
Third-party coverage: claims from others
Third-party liability protection covers when other parties hold your organisation liable for losses caused by your cyber incident or security failure.
- Legal defence costs: Attorney fees to defend civil lawsuits from affected individuals, customers, or partners claiming damages from your breach.
- Settlements and court-ordered compensation: Compensation payments to settle claims or satisfy court judgments from affected parties.
- Regulatory enforcement response: Limited coverage for costs associated with regulatory action by federal or provincial Privacy Commissioners. Government-imposed fines are typically excluded, but investigation defence is covered.
- Privacy liability claims: Claims alleging your organisation violated PIPEDA, Law 25, or other privacy laws, mishandled personal data, or failed to implement appropriate security safeguards.
- Network security liability: Coverage if your systems are exploited to launch attacks against other organisations, and those organisations hold you liable.
- Professional liability and errors and omissions: Claims that your software, IT services, or advice caused financial loss to clients.
- Media liability: Claims arising from content published on your website or social media platforms.
Canadian-specific regulatory requirements
Canadian cyber insurance is shaped by federal and provincial privacy laws:
- PIPEDA (federal). The Personal Information Protection and Electronic Documents Act applies to federal sector organisations and interprovincial businesses. PIPEDA requires notification of individuals following a breach of security causing reasonable risk of significant harm. The Office of the Privacy Commissioner investigates complaints. Insurance covers notification and investigation defence costs.
- Quebec Law 25 (Bill 64). Quebec's modernised privacy law strengthens data security requirements, mandates breach notification without unreasonable delay (not just significant harm), and introduces personal fines for executives and expanded Privacy Commissioner powers. Law 25 comes into force January 1, 2024. Cyber insurance must explicitly cover Law 25 notification and regulatory response.
- Provincial privacy laws. Provinces like Alberta, British Columbia, and others have their own privacy legislation with varying notification requirements and Privacy Commissioner jurisdiction. Multi-province operations require coverage across all applicable provincial laws.
- OSFI guidance (financial institutions). The Office of the Superintendent of Financial Institutions expects regulated financial institutions to maintain appropriate cyber incident insurance and third-party risk management. OSFI Guidance on Third-Party Relationships and CAG guidance recommend cyber insurance as part of operational resilience.
- Breach notification timelines. PIPEDA requires notification "without unreasonable delay" for significant harm breaches. Law 25 requires notification without unreasonable delay for all breaches. Insurance must cover the costs of timely notification and regulatory reporting to Privacy Commissioners.
- Cross-border incidents. Many Canadian organisations handle personal data of US and international residents. Insurance should cover notification obligations under US state laws (CCPA, NYDFS, etc.) and international regulations (GDPR) as well as Canadian requirements.
Coverage limitations and sub-limits
Most Canadian cyber policies apply sub-limits β separate maximum amounts for specific coverages distinct from the overall policy limit. A CAD$500K policy might sub-limit breach notification to CAD$100K and business interruption to CAD$250K, meaning once these sub-limits are exhausted, the insurer stops paying for those specific coverages even if the overall limit remains unused.
| Coverage Type |
Category |
Typical Sub-Limit (CAD) |
| Incident response and forensics |
First-party |
$75K β $300K |
| Business interruption loss |
First-party |
$150K β $1.5M |
| Breach notification (PIPEDA/Law 25) |
First-party |
$75K β $300K |
| Regulatory investigation defence |
First-party |
$50K β $200K |
| Legal defence costs |
Third-party |
No separate limit |
| Settlements and compensation |
Third-party |
Up to policy limit |
| Social engineering fraud |
Additional |
$50K β $200K |
Optional additional coverages
- Social engineering and wire fraud: Covers employee losses from social engineering attacks and fraudulent wire transfer instructions. Increasingly important in Canada.
- Dependent business interruption: Covers losses when a critical supplier or customer is breached and their downtime affects your operations.
- Cyber extortion and ransom negotiation: Professional negotiation services and extortion communication costs (ransom payments often excluded).
- Cryptojacking and unauthorised computing: Unauthorised use of company computing resources for cryptocurrency mining or other malicious purposes.
- Invoice manipulation and business email compromise: When attackers intercept email and redirect payments or invoices to fraudulent accounts.
- Cyber-related reputational harm: Limited coverage for losses caused by reputational damage following a breach.
Find the right cyber insurance for your Canadian business
A specialist broker can help navigate PIPEDA, Quebec Law 25, OSFI requirements, and ensure your policy covers cross-border incidents affecting US or international residents.
Get a personalised quote β
Last updated: April 2026