Cyber Liability Insurance for Canadian Small Businesses: What You Actually Need

Seventy-two percent of Canadian small and medium-sized businesses experienced a cyber attack in the past year. Let that number land for a moment. Not 72% of banks. Not 72% of tech companies. Seventy-two percent of businesses like yours — accounting firms, dental offices, contractors, retailers, and service companies across Ontario.

And here is the part that keeps us up at night as brokers: more than 60% of small business owners still believe their company is too small to be targeted.

We have placed cyber liability policies for businesses of every size across Durham Region, and the pattern is always the same. Nobody thinks they need this coverage until the morning they cannot access their files, their client database is encrypted, and a ransom demand is sitting in their inbox. By then, the only question is whether they have a policy in force or whether they are paying six figures out of pocket.

Why Your Existing Insurance Will Not Help

This is the most important thing to understand about cyber risk: your general liability and commercial property policies do not cover it. Insurers have been adding explicit cyber exclusions to standard commercial policies for years. If your business suffers a data breach, a ransomware attack, or even a phishing scam that drains your bank account, your CGL policy will decline the claim.

We see this gap constantly. A business owner comes to us with what they believe is comprehensive coverage — commercial property, general liability, maybe even an umbrella policy — and none of it responds to a cyber event. That is not a failure of their existing coverage. Those policies were never designed for digital risk. Cyber liability insurance exists specifically to fill this gap.

What Cyber Liability Insurance Actually Covers

A cyber liability policy has two sides: first-party coverage (your direct costs) and third-party coverage (claims against you from others). Most policies in the Canadian market bundle both, but understanding the distinction helps you evaluate what you are buying.

First-Party Coverage: Your Direct Losses

This is the coverage that responds when your business is the victim. It pays for:

• Forensic investigation — Hiring specialists to determine how the breach happened, what data was compromised, and how to stop it from continuing
• Data recovery and system restoration — Rebuilding your network, restoring data from backups, replacing compromised hardware and software
• Ransomware and cyber extortion — The ransom payment itself (where legally permitted), plus professional negotiation services
• Business interruption — Lost income during the period your systems are down, plus the increased operating costs of running your business manually while you recover
• Notification and credit monitoring — The cost of notifying every affected individual (required by law in Canada), setting up a call centre, and providing credit monitoring services
• Crisis management and public relations — Professional help managing your reputation after a breach becomes public

Third-Party Coverage: Claims Against You

This side protects you when other people — customers, clients, business partners, or regulators — come after you because their data was compromised on your watch:

• Legal defence costs — Solicitor fees, court costs, and expert witnesses
• Settlements and judgments — If a court finds you liable or you settle a claim
• Regulatory fines and penalties — Costs associated with regulatory investigations and potential penalties for non-compliance with privacy laws
• Media liability — Claims related to content published on your website or digital platforms

The Federal Law You Cannot Ignore

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) is not optional, and it has real teeth. Since November 2018, mandatory breach reporting has been in force. Here is what that means for your business:

You must report to the Privacy Commissioner of Canada any breach of security safeguards involving personal information that poses a real risk of significant harm to individuals. "Significant harm" is defined broadly — it includes financial loss, identity theft, damage to reputation, loss of employment or business opportunities, and humiliation.

You must notify affected individuals as soon as feasible after determining a breach has occurred. There is no specific number-of-days deadline, but "as soon as feasible" means exactly what it sounds like. Dragging your feet will make things worse.

You must keep records of all breaches for 24 months — not just the ones you report. Every breach, whether it meets the reporting threshold or not, must be documented in enough detail for the Privacy Commissioner to verify your compliance.

Knowingly failing to comply is an offence that can lead to fines.

This is where cyber insurance becomes not just smart business but practically necessary. The cost of a proper breach response — forensic investigation, legal counsel, notification of every affected individual, credit monitoring, potential regulatory defence — adds up fast. Statistics Canada reports that Canadian businesses spent $1.2 billion recovering from cyber security incidents in 2023 alone, double the $600 million spent in 2021.

What Cyber Attacks Actually Cost a Small Business

The numbers are sobering. The average cost of a data breach for Canadian organizations reached $6.98 million CAD in 2025, according to IBM's annual Cost of a Data Breach report. That is the average across all business sizes — large enterprises pull that number up. But even for a small business, the costs are devastating.

A typical small business cyber incident involves:

• $15,000 to $50,000 for forensic investigation and system restoration
• $10,000 to $30,000 for legal counsel through the breach response
• $5,000 to $25,000 for notification and credit monitoring (scales with the number of affected records)
• Weeks of lost revenue while systems are down or operating at reduced capacity
• Reputational damage that is impossible to put a dollar figure on

The Insurance Bureau of Canada has noted that 60% of small and medium businesses do not survive after a cyber attack. That statistic reflects the full picture — not just the direct costs, but the lost clients, the damaged trust, and the operational disruption that small businesses simply cannot absorb without insurance backing them up.

What It Costs (Less Than You Think)

Here is the good news. Cyber liability insurance is one of the most affordable commercial coverages available relative to the risk it addresses:

• Very small businesses (sole proprietors, micro-businesses): $300 to $1,200 per year
• Small businesses (under $5M revenue): $500 to $4,000 per year
• Mid-sized businesses: $1,200 to $7,000 per year

The median cost across the market sits around $1,740 per year. For context, that is less than most businesses pay for their commercial auto insurance on a single vehicle.

Your premium depends on several factors we can help you evaluate:

• Revenue and employee count — Larger operations pay more
• Industry — Healthcare, financial services, and professional services handle more sensitive data and pay higher premiums
• Type of data you store — Personal health information, payment card data, and Social Insurance Numbers increase your risk profile
• Security controls in place — This is where you have direct control over your premium

How to Lower Your Cyber Insurance Premium

Insurers reward businesses that take security seriously. The following controls can meaningfully reduce your premium — and more importantly, reduce your actual risk:

1. Multi-factor authentication (MFA) on email, remote access, and administrative accounts. This is the single most impactful control. Some insurers will not even quote you without it.
2. Tested backups stored offline or in a separate cloud environment. Backups that have never been tested are not backups.
3. Endpoint protection (modern antivirus/anti-malware) on all devices, including employee laptops and phones.
4. Regular software patching — Most breaches exploit known vulnerabilities that already have patches available.
5. Employee security training — Phishing remains the top attack vector. Even basic annual training reduces your exposure significantly.
6. A written incident response plan — You do not need a 50-page document. A simple plan that identifies who to call, what to shut down, and how to communicate makes a material difference.

When we quote cyber liability coverage, we walk through these controls with every client. In many cases, implementing even two or three of these measures before binding the policy results in a noticeably lower premium.

Who Needs Cyber Liability Insurance

The honest answer: any business that uses email, stores customer information, processes payments, or relies on computer systems to operate. That covers virtually every business in Ontario.

But some businesses face elevated risk and should treat this coverage as essential, not optional:

• Professional services — Accountants, lawyers, consultants, and financial advisors handling confidential client data (professional liability does not cover cyber events)
• Healthcare practices — Dentists, physiotherapists, clinics storing patient health records (healthcare insurance)
• Retailers and e-commerce — Any business processing credit card transactions (retail insurance)
• Contractors and trades — Increasingly targeted by ransomware, especially those using connected project management systems (contractor insurance)
• Technology companies — Both targets and potential sources of third-party claims (technology insurance)
• Non-profits — Donor databases and volunteer records are valuable targets with tight budgets to recover (non-profit insurance)

What to Do Next

If you do not have cyber liability insurance, or if you have never reviewed what your current policy actually covers, here is what we recommend:

1. Check your existing policies for cyber exclusions. Your CGL and property policies almost certainly exclude cyber events. Know what you are working with.
2. Take stock of the personal information you hold. Client names, email addresses, payment information, employee SINs, health records — the type and volume of data you store directly affects your risk and your PIPEDA obligations.
3. Implement basic security controls. MFA, tested backups, and employee training cost very little and make a meaningful difference to both your actual risk and your insurance premium.
4. Talk to a broker who understands the coverage. Cyber policies vary significantly between insurers. The cheapest quote is not always the best fit — exclusions, sub-limits, and waiting periods matter.

We place cyber liability coverage with carriers who specialize in this space, and we help our clients across Durham Region and Ontario understand exactly what they are buying. If you want a quote or just want to know where you stand, reach out to our team or call us at (905) 576-7770.

Frequently Asked Questions

How much does cyber liability insurance cost for a small business in Canada?

Most small businesses pay between $500 and $4,000 per year, depending on revenue, industry, data types, and security controls. Businesses with MFA, tested backups, and an incident response plan typically qualify for the lowest premiums. Very small or sole-proprietor operations may pay as little as $300 per year.

Does my general liability or commercial property policy cover cyber attacks?

No. General liability and commercial property insurers have been adding explicit cyber exclusions for years. A data breach, ransomware attack, or phishing loss will not be covered under those policies. You need a standalone cyber liability policy.

Am I legally required to report a data breach in Canada?

Yes. Under PIPEDA, you must report any breach involving personal information to the Privacy Commissioner and notify affected individuals if the breach poses a real risk of significant harm. You must also keep records of all breaches — reported or not — for 24 months.

What is the difference between first-party and third-party cyber coverage?

First-party coverage pays your direct costs: forensic investigation, data recovery, ransomware payments, business interruption losses, and notification expenses. Third-party coverage protects you when customers, clients, or regulators sue you over a breach. Most Canadian policies bundle both.

Do I need cyber insurance if my business only has a few employees?

Yes. Over 60% of small businesses believe they are too small to be targeted, but the data tells a different story — 72% of Canadian SMBs reported a cyber attack in the past year. Criminals specifically target smaller businesses because they tend to have weaker defences. A single incident can cost enough to permanently close a small operation.