The Canadian cyber insurance market
The Canadian cyber insurance market is smaller than the US but growing rapidly. Canadian businesses increasingly recognise cyber risk as material and are seeking coverage. The market is characterised by a mix of domestic carriers (Intact Insurance, Trisura) and US-based carriers operating in Canada (AIG, Chubb, Travelers, Zurich, Coalition, Corvus).
The Canadian regulatory landscape is complex, with both federal oversight (OSFI for federally-chartered entities, PIPEDA for privacy) and provincial regulation. Each province has its own insurance regulator and, in some cases, separate privacy legislation. This creates underwriting challenges for insurers and means that policies must be carefully tailored to your specific provincial jurisdiction.
Privacy laws are a key consideration. PIPEDA is the federal private sector privacy law, but British Columbia, Alberta, and Quebec have their own provincial legislation. Breach notification requirements vary β PIPEDA requires notification "without unreasonable delay" if there's a real risk of serious harm, whilst Quebec requires notification within 30 days.
The market also reflects the cross-border nature of Canadian business: many Canadian companies operate in the US, and many US companies operate in Canada. Policies often need to address both Canadian and US regulatory obligations.
Canadian market characteristics and what they mean for you
Federal and provincial regulation
Canada's regulatory framework is federal-provincial. OSFI regulates federally-chartered financial institutions and requires cyber risk management. Each province has a financial services regulator (e.g., Alberta Financial Services Authority, Financial Services Regulatory Authority of Ontario) that oversees provincial insurance carriers. This creates a more fragmented regulatory environment than the US.
OSFI cyber risk requirements
OSFI's Cyber Security Requirements apply to federally-regulated banks, insurance companies, and trust companies. They require strong governance, risk assessment, incident management, and reporting. If you operate in these regulated industries, ensure your cyber insurer understands OSFI expectations.
PIPEDA and provincial privacy laws
Privacy laws significantly influence cyber insurance pricing and coverage. PIPEDA (federal) applies to private sector organisations. British Columbia and Alberta have equivalent provincial laws (PIPA). Quebec has its own legislation (Law 25). Breach notification is required within 30 days for Quebec and "without unreasonable delay" for PIPEDA and other provincial laws. Cyber policies must address these requirements.
Smaller market, fewer carriers
The Canadian market is considerably smaller than the US, which means fewer carriers, higher minimum premiums, and less price competition. Many Canadian businesses purchase insurance from US carriers via brokers. This is workable, but policies must be adjusted to comply with Canadian law.
US-Canada cross-border considerations
Many Canadian companies do business in the US and vice versa. Policies often need to address both Canadian and US regulations, data breach laws, and SEC disclosure requirements (if you're a US subsidiary of a Canadian parent or have US public company status). This complexity is manageable but requires careful broker guidance.
Shared carrier base with the US
Many carriers operating in Canada also operate in the US. This is an advantage: they understand both markets, pricing is sometimes competitive, and coverage can be cross-border. However, policies must be specifically endorsed for Canada.
Leading Canadian cyber insurance carriers
Below is an overview of carriers operating in the Canadian market. This is not a ranking β the right carrier depends on your specific risk profile, industry, and provincial jurisdiction. Always work with a specialist broker.
Intact Insurance
Intact Insurance is Canada's largest domestic property and casualty insurer and has expanded significantly into cyber. Offers cyber coverage across SMB and mid-market segments. Known for strong Canadian presence, good financial strength, and local expertise.
Strengths: Canadian-based; strong brand; good SMB/mid-market offering; local regulatory knowledge.
Considerations: May be less specialist than pure cyber carriers; limited enterprise capacity.
Chubb Canada
Chubb operates globally and has a dedicated Canada operation. Known for competitive mid-market and upper mid-market cyber. Strong claims capability, good financial strength, and access to Chubb's global resources.
Strengths: Competitive mid-market pricing; strong financial stability; global reach; good claims service.
Considerations: Less specialist than pure cyber carriers; higher minimum premiums than SMB providers.
AIG Canada
AIG operates a dedicated Canada operation and offers cyber coverage across all market segments. Known for large account capability, competitive pricing in mid-market and above, and diverse coverage options.
Strengths: Market leader in mid-market/enterprise; diverse options; global reach; strong financial position.
Considerations: Can be expensive for SMBs; less innovative than specialist carriers.
Trisura Group
Trisura is a Canadian specialty insurance company offering cyber coverage. Known for specialist expertise, flexibility, and competitive pricing for SMB and mid-market.
Strengths: Canadian specialist; flexible underwriting; competitive SMB/mid-market pricing.
Considerations: Smaller than Intact/AIG; limited enterprise capacity.
Coalition Insurance
Coalition, a leading US-based specialist, operates in Canada. Known for tech-enabled underwriting, competitive SMB pricing, and streamlined claims. Available through Canadian brokers.
Strengths: Tech-enabled; competitive SMB pricing; fast underwriting; good service.
Considerations: Newer to Canadian market; capacity limits; less local presence than domestic carriers.
Corvus Insurance Canada
Corvus, a US specialist, operates in Canada focused on SMB and lower mid-market. Known for competitive pricing, tech-driven underwriting, and good claims experience.
Strengths: Competitive SMB/lower mid-market pricing; tech-enabled; good claims capability.
Considerations: Limited Canadian presence; SMB focus; enterprise capacity limited.
Beazley Canada
Beazley, a London-based specialist with global operations, operates in Canada. Known for deep cyber expertise, flexible underwriting, and strong panel quality across all market segments.
Strengths: Excellent cyber expertise; flexible coverage; strong claims capability; multi-segment.
Considerations: Broker-only; minimum premiums often higher; less local presence.
Zurich Canada
Zurich operates in Canada with a dedicated cyber offering. Competitive for mid-market and above, with strong financial backing and integration with other business insurance products.
Strengths: Financial stability; good mid-market pricing; bundling options; reliable service.
Considerations: Less specialist than pure-play cyber carriers; focused on mid-market and above.
CFC Underwriting Canada
The London-based specialist operates in Canada through brokers. Known for specialist expertise, customer-centric approach, and quality claims handling. Growing presence in Canadian market.
Strengths: Specialist expertise; excellent claims experience; customer-focused.
Considerations: Smaller presence in Canada; minimum premiums often higher; broker-only.
Northbridge Insurance
Northbridge is a Canadian specialty insurance carrier offering cyber coverage. Known for flexibility and specialist expertise in Canadian regulatory environment.
Strengths: Canadian-based; specialist expertise; flexible underwriting.
Considerations: Smaller than Intact/AIG; limited enterprise capacity.
How to evaluate Canadian cyber insurance providers
Financial strength ratings
Check financial strength from A.M. Best, Moody's, or S&P. Ratings of A or better (A.M. Best) are strong. Ensure the carrier is regulated in your province and meets provincial solvency requirements.
Provincial regulatory compliance
Different provinces regulate insurance differently. Ensure the carrier is licensed or approved to operate in your province. If you operate in multiple provinces, verify the carrier is licensed in all of them.
Canadian privacy law expertise
This is critical. Does the insurer understand PIPEDA, provincial privacy laws (PIPA in BC/Alberta, Law 25 in Quebec), and breach notification timelines? Are these requirements properly reflected in policy wording? A carrier without this expertise will create compliance gaps.
Claims handling speed and quality
Can you reach someone 24/7? Will they respond within two hours? Ask for Canadian references or search for reviews. The best carriers have dedicated Canadian claims teams.
Incident response panel quality
Your policy should include access to forensic investigators, legal counsel, and PR specialists. Does the carrier have a Canadian-based panel or US-based? Can they respond quickly in Canada? Ask for panel composition.
Coverage breadth and Canadian-specific provisions
Does the policy cover ransomware, social engineering, business interruption, and third-party liability? Does it address Canadian privacy laws, PIPEDA notification costs, and provincial regulatory fines? Ensure the policy is endorsed for Canada and addresses Canadian-specific risks.
Sub-limits and exclusions
Understand any sub-limits on ransomware, business interruption, or third-party liability. Are there exclusions on known vulnerabilities or prior incidents? These can be problematic β flag them with your broker.
OSFI and sector-specific requirements
If you're a financial institution, healthcare provider, or operate in a regulated sector, ensure the carrier understands sector-specific requirements (OSFI, PIPEDA, provincial regulations, healthcare laws). The cheapest policy may not meet your compliance obligations.
Broker expertise and local relationships
Look for brokers that specialise in cyber insurance in Canada, have strong relationships with Canadian carriers and US carriers operating in Canada, and understand provincial regulatory nuances. Check for Canadian reviews and industry experience.
Specialist broker vs. direct purchase
Most Canadian cyber insurance is sold through brokers. Here's why using a specialist broker is important.
Brokers navigate provincial regulation
A good Canadian broker understands that insurance regulation varies by province. They'll ensure your policy complies with provincial rules and can manage multi-provincial requirements.
Brokers understand Canadian privacy law
A specialist broker understands PIPEDA, provincial privacy laws, and breach notification requirements. They'll flag gaps in coverage and ensure policy wording addresses Canadian compliance obligations.
Brokers access both domestic and US carriers
A good Canadian broker has relationships with Intact, Trisura, and other domestic carriers, but also access to US carriers (AIG, Chubb, Coalition, Corvus) operating in Canada. They'll shop your risk and get competitive quotes.
Brokers negotiate on your behalf
A broker will push for better terms, higher limits, or adjustments to coverage to comply with Canadian law. Direct purchase typically doesn't offer negotiation flexibility.
Brokers help with claims
When a breach happens, your broker will advocate for you, help navigate the claims process, and push back on unreasonable claim denials.
Finding a good Canadian broker
Look for brokers that specialise in cyber insurance, are licensed in your province(s), have relationships with multiple carriers (domestic and US), and understand Canadian privacy laws. Check for positive reviews and experience with businesses your size and sector.
Key questions to ask your Canadian broker
Once you've been matched with a broker, ask these questions before committing to a policy.