Back to all posts

Cybersecurity and Insurance

Issues, Limitations and Trends of Cyber ​​Insurance in Canada

The Rise of Cyber ​​Insurance and its Gray Areas

Faced with the explosion of cyberattacks, organizations are increasingly subscribing to cyber insurance to protect themselves against financial losses.

Problem: In this case, can we trust the insurance policy to compensate for damages, for example, from ransomware or a massive data breach?

In other words, is cyber insurance a solution or an illusion in the face of rising premiums and the proliferation of exclusions?

Adoption growing strongly but unevenly

  • By 2024, approximately 40% of Canadian SMEs will report having some form of cyber insurance.
  • Large organizations are better covered, but also more targeted by attacks (source: Canadian Centre for Cyber ​​Security / CCC).
  • The most insured sectors: finance, healthcare, and professional services.
  • Growing regulatory pressure (Bill 25, Bill C-26) is encouraging organizations to adopt minimum coverage.

The critical limits of cyber insurance

1-Frequent and unclear exclusions

Many policies do not cover:

  • Human error
  • Nation-state attacks
  • Outdated software
  • Compromised subcontractors

Legal language is often complex and restrictive.

2- Reimbursement times and complexity of claims

  • The burden of proof often rests with the insured organization.
  • Compensation is sometimes partial or conditional on strict compliance.

3-False impression of security

  • Some organizations reduce their investments in technical security, believing they are “covered.”
  • This false impression leaves organizations vulnerable and uninsurable in the long term.

Market evolution with more selective cyber insurance

  • Increases in premiums (+30 to 70% in 2 years in certain sectors in Canada)
  • Fewer standard guarantees and more à la carte options (e.g. ransomware, reputation, business interruption)
  • Reinforced prior checks, in short, some insurers are now asking for:
    • MFA for all critical access
    • Network segmentation
    • Employee training
    • Tested and validated response plansés

Key Recommendations: Maximize Coverage & Security Posture

  • Before purchasing an insurance policy:
  • Assess the organization’s actual risks
  • Seek legal and/or cybersecurity expertise to understand the clauses
  • Update internal policies and plans réponse et les journaux

After subscribing to an insurance policy:

  • Avoid viewing insurance as a substitute for best practices
  • Include cyber insurance in the crisis management plan
  • Regularly test and validate detection, response, and traceability capabilities

Integrating cyber insurance into a comprehensive cyber resilience approach with prevention, detection, response, and improvement is
an ideal.

NB: Useful cyber insurance is one that is comprehensive, adapted to real risks, and integrated into the Cybersecurity strategy.

Cyber ​​Insurance in Canada: 7 Questions to Ask Before Signing an Insurance Policy

  1. What does the policy actually cover?
    • Does the attack need to be confirmed by an authority?
    • Are ransomware, DDoS, phishing, and data breaches covered?
    • Are indirect losses included (e.g., business interruption)?
  2. What types of incidents are excluded?
    • Attacks by foreign states?
    • Flaws caused by human error?
    • Non-compliance with legal obligations (e.g., Bill 25, C-26)?
    • Failure to apply critical updates?
  3. What are the technical prerequisites for coverage to apply?
    • Is MFA mandatory? Encrypted backups? Connection logs retained?
    • Does the organization require a validated incident response plan?
  4. What are the time limits and conditions for compensation?
    • Incident reporting timeframe (often 48 to 72 hours)
    • What supporting documents does the organization need to provide?
    • How quickly will the organization be compensated?
  5. Are subcontractors and partners covered?
    • Is the cloud provider covered?
    • What happens if a breach comes from a third party?
    • Does the policy cover subsidiaries or only the headquarters?
  6. What is the compensation ceiling and the deductible?
    • Are there sub-limits for each type of incident?
    • What is the deductible to be paid before coverage is activated?
    • Are there any out-of-pocket expenses (e.g., legal fees, branding)?
  7. What is the procedure in the event of a claim?
    • Does the organization have an emergency number? Is there a designated contact person?
    • Does the insurer provide a cybersecurity expert or legal support?
    • Is reimbursement conditional on an external investigation?

 

MORE POSTS...