Understand what's NOT covered under Canadian cyber policies, including PIPEDA gaps, provincial variations, and how to negotiate broader protection.
Canadian cyber insurance exclusions are shaped by PIPEDA (federal Personal Information Protection and Electronic Documents Act) and provincial privacy laws, which vary by province. What complicates Canadian cyber insurance is that different provinces have different breach notification timelines and compliance requirements. A breach affecting Ontario residents has different insurance implications than one affecting Quebec residents (which fall under Quebec's Law 25, a stricter privacy regime). Your policy may have gaps that depend entirely on where your data subjects are located.
Most Canadian cyber policies exclude coverage if you failed to meet PIPEDA's 10 privacy principles β particularly principle 4, "Security of Personal Information," which requires appropriate safeguards. If a breach occurs because your encryption was inadequate or your access controls were insufficient, the insurer may argue you violated PIPEDA's security principle and deny coverage.
The challenge: PIPEDA defines "appropriate security" as depending on the sensitivity of the information and the nature of your business, but doesn't mandate specific controls. This creates disputes. Some insurers expect all organisations to have MFA, encryption, and regular backups; others have lower expectations for smaller businesses. Get your security obligations explicitly documented in your insurance policy.
Additionally, Canadian privacy commissioners (federal and provincial) can investigate your compliance with PIPEDA and impose orders to implement security measures. If your policy doesn't cover the cost of remediation ordered by a privacy commissioner, you're exposed.
Most Canadian provinces follow PIPEDA, but Quebec operates under its own privacy law (Law 101) and recently introduced Law 25, which significantly strengthens privacy and cybersecurity requirements. Law 25 requires explicit consent for data processing (not just opt-out), stricter breach notification (requires written notice in clear language within 30 days), and cybersecurity assessments for high-risk processing.
If your business operates in Quebec and processes Quebec resident data, your cyber insurance must account for Law 25 requirements. A policy written for PIPEDA-compliant businesses may have gaps for Law 25 compliance. The notification costs for Quebec breaches are often higher than other provinces due to Law 25's stricter requirements. Ensure your policy's notification cost coverage accounts for provincial variations.
Canadian policies follow Lloyd's Market Association rules and typically include war and terrorism exclusions. However, cyber-specific carve-outs (LMA5567, 5568, 5569, 5570) are becoming standard in new policies but aren't universal in the Canadian market. If your policy was written before 2018 and doesn't include explicit cyber-war language, you have a significant gap.
For critical infrastructure operators and businesses handling sensitive government information (especially those working with Canadian government or NATO allies), explicit cyber-war coverage is essential. Ensure your policy schedule includes Lloyd's Market Association endorsements for cyber-specific attacks.
This is an emerging gap in Canadian cyber insurance. Many Canadian insurers and reinsurers follow US OFAC sanctions lists when assessing claims. If your breach involves a US-sanctioned entity (even tangentially), or if your ransom payment implicates OFAC regulations, your Canadian policy may exclude coverage or restrict it.
This is particularly important for Canadian businesses with US operations, US customer data, or US supply chain partners. If you're breached by a sanctioned cyber group (e.g., a Russian gang on OFAC lists), your policy may refuse to cover ransom payments or incident response costs. Clarify in your policy: does it follow Canadian sanctions law, US OFAC law, or both?
Most Canadian cyber insurance covers liability for breaches affecting Canadian residents under PIPEDA. However, if your breach also exposes US resident data, you face additional US liability: state breach notification laws (with timelines as short as 24 hours in some states), potential SEC disclosure requirements, and US lawsuits.
Some Canadian policies exclude US data liability or cap it separately. If you process data for US customers or have US employees, clarify whether your policy covers US breach notification costs and US liability, or whether you need separate US cyber insurance. This gap can be expensive if a single breach affects both Canadian and US residents.
Canadian cyber policies cover business interruption from your own systems being compromised, but may exclude interruption from cloud service provider failures unless the cloud provider was specifically targeted by a cyber attack. For businesses relying on Microsoft Azure, AWS Canada, or other cloud services, this gap is real.
If your cloud provider experiences an outage affecting thousands of Canadian businesses, your cyber policy won't cover your lost revenue unless you can prove the outage was caused by a cyber attack. Clarify the trigger for business interruption coverage and consider whether you need separate business interruption insurance for cloud service failures.
Get a Canadian specialist broker to review your policy and identify gaps specific to PIPEDA, provincial variations, and cross-border data exposure.
Find a Broker Now β