What Is Cyber Insurance?

A complete guide to understanding what cyber insurance covers in Canada, how claims work, what's excluded, PIPEDA and provincial privacy requirements, and how to choose the right policy for your Canadian business.

Updated April 2026 15 min read

What is cyber insurance?

Cyber insurance is a type of business insurance that covers your financial losses from cyber incidents like data breaches, ransomware attacks, system outages, and other digital disruptions. It's also known as "cyber liability insurance" or "cyber risk insurance."

In Canada, cyber threats are rising. 39% of Canadian businesses experienced a cyber attack in 2024, and the average cost of a data breach globally exceeds CAD $7 million. For small and medium businesses, a single breach can be catastrophic. 60% of SMBs close within 6 months of an attack. Cyber insurance exists because many businesses can't absorb this financial shock alone, especially given PIPEDA compliance requirements and provincial privacy laws.

Key point: Cyber insurance reimburses you for direct costs (forensic investigation, ransom negotiation, notification costs under PIPEDA) and third-party claims (lawsuits from affected customers). You're buying protection for a type of liability and operational crisis, not a physical asset.

What does cyber insurance cover?

Most cyber insurance policies split coverage into two main categories: costs to YOUR business (first-party) and claims FROM OTHERS (third-party).

First-party coverage (costs to your business)

This covers direct costs you incur in response to a cyber incident:

  • Incident response and forensic investigation β€” The cost of hiring experts to investigate the breach, determine what was compromised, and identify the attacker.
  • Data recovery and restoration β€” Costs to recover lost or corrupted data and restore systems to normal operation.
  • Business interruption losses β€” If your systems are down, you lose revenue. This covers the income you would have earned during the outage.
  • Ransomware payments β€” Some policies reimburse ransom payments if you decide to pay. Note: Canadian authorities increasingly advise against payment.
  • Notification costs β€” PIPEDA requires notification of affected individuals following a breach. Cyber insurance covers letters, email campaigns, and call centre costs.
  • Credit monitoring β€” Providing monitoring services to individuals affected by the breach (often 1-3 years).
  • Public relations and crisis management β€” Costs to hire PR firms to manage reputational damage and public communication.

Third-party coverage (claims from others)

This covers legal claims and regulatory action arising from the incident:

  • PIPEDA regulatory defence and fines β€” Defence costs if you face investigation by Privacy Commissioner and cover for PIPEDA penalties.
  • Provincial privacy defence β€” Coverage for investigations under provincial laws like PHIPA (Ontario), PIPA (British Columbia), and others.
  • Legal defence costs β€” Lawyers to defend you against lawsuits from affected customers or partners.
  • Settlements and judgments β€” Compensation you're ordered to pay to affected parties after losing a lawsuit.
  • PCI DSS fines β€” If you process card payments and suffer a breach, payment networks may fine you. Cyber insurance can cover these.
  • Media liability claims β€” Claims that your business defamed someone or invaded privacy through your digital systems or online presence.

Most policies come with coverage limits (e.g., CAD $1 million total), deductibles (you pay the first CAD $10,000 of any claim), and sub-limits (e.g., ransomware covered up to CAD $500,000, even if total limit is CAD $1 million).

What doesn't cyber insurance cover?

Insurance is defined as much by what it excludes as by what it includes. Here are the most common cyber insurance exclusions:

  • Acts of war or nation-state attacks β€” Most policies exclude attacks by governments or military forces. This "war exclusion" is standard across insurance.
  • Unpatched known vulnerabilities β€” If a security patch was available and you didn't apply it, the insurer may deny claims from attacks exploiting that specific vulnerability.
  • Bodily injury or property damage β€” Cyber insurance covers digital losses. If a cyber attack leads to physical harm, that's typically covered by your general liability policy, not cyber.
  • Long-term reputational damage β€” Cyber insurance covers short-term crisis costs (PR, notification). Permanent loss of customer trust or market share isn't covered.
  • Loss of future revenue β€” Business interruption covers revenue lost during the incident. It doesn't cover future lost business due to reputational harm.
  • Prior known claims β€” If you knew about a potential claim before buying the policy, it's excluded.
  • Voluntary shutdowns β€” If you choose to shut down your systems without insurer approval, resulting losses may not be covered.
  • Social engineering (sometimes) β€” Some policies exclude or heavily sub-limit losses from social engineering attacks (e.g., CEO fraud). Check your policy carefully.

Read the fine print: Exclusions vary significantly between insurers. A breach that one insurer covers, another may exclude. Always ask your broker to highlight exclusions relevant to your business and provinces of operation.

How does a cyber insurance claim work?

Step 1: Incident occurs β€” You discover a breach, system outage, or suspected attack.

Step 2: Contact insurer immediately β€” Call your insurer's claims hotline right away. Most Canadian policies require prompt notification. Delaying notification may void coverage.

Step 3: Insurer appoints incident response team β€” The insurer will typically have a preferred team of forensic experts, legal counsel, and PR firms. Some policies let you choose your own; others require you to use the insurer's panel. The insurer pays the IR team directly.

Step 4: Containment and investigation β€” The IR team stops the attack (if ongoing), investigates what happened, identifies what data was compromised, and documents findings.

Step 5: Claim assessment β€” The insurer reviews the incident and IR findings to determine what's covered under your policy. They'll assess whether exclusions apply, whether costs are reasonable, and whether the claim is within coverage limits and deductibles.

Step 6: Payout β€” Once approved, the insurer reimburses you for covered costs or pays vendors directly.

Important: Good cyber insurance policies don't just provide moneyβ€”they provide people. Your policy includes access to forensic investigators, Canadian-qualified legal counsel familiar with PIPEDA breach notification law, and PR specialists. These are often more valuable than the dollar payout because they know how to handle incidents efficiently and protect you from regulatory action.

Canadian regulatory landscape

Canada's cyber insurance landscape is shaped by PIPEDA (federal personal information protection act) and provincial privacy laws. PIPEDA requires businesses to notify individuals and the Privacy Commissioner of substantial breaches of security safeguards. Provincial laws vary: PHIPA (Ontario) covers health information; PIPA (British Columbia, Alberta) covers provincial personal information. Additionally, federally regulated industries (banking, telecommunications) have sector-specific cybersecurity requirements. Cyber insurance covers regulatory defence costs and fines under these frameworks.

Last updated: April 2026

Ready to find the right cover?

Get matched with a specialist cyber insurance broker β€” free, fast, no obligation.

Find My Policy β†’
Related guides

How much does cyber insurance cost in Canada?

Pricing data by company size and industry. Plus the factors that push Canadian premiums up or down.

Read β†’

Do I actually need it?

Not every business needs the same cover. Find out whether cyber insurance makes sense for your size and sector.

Read β†’