February 22, 2026 Insights 10 min read

Cyber Insurance: What Canadian SMBs Need to Understand

By Cybersecurity Canada Editorial Team | Published February 22, 2026

In February 2024, the City of Hamilton was hit by a ransomware attack that disrupted roughly 80% of its network. The recovery cost the city $18.3 million. When Hamilton filed its cyber insurance claim, the insurer denied it — reportedly because multi-factor authentication had not been fully implemented at the time of the attack.

Hamilton is not an isolated case. Across North America, cyber insurance claims are being denied, policies are being voided, and coverage disputes are ending up in court — often because the insured organization did not meet the security requirements outlined in its own policy.

For Canadian small and medium businesses, the cyber insurance landscape has changed significantly in recent years. Understanding what policies cover, what insurers expect, and where claims have been denied is increasingly relevant.

What Cyber Insurance Typically Covers

Cyber insurance policies vary, but most provide some combination of first-party and third-party coverage:

First-Party Coverage (Your Direct Losses)

• Incident response costs — Forensic investigation, breach counsel, and crisis management
• Business interruption — Lost income and extra expenses during downtime. The real cost of cyber downtime often exceeds the direct cost of the incident itself.
• Data recovery — Restoring or reconstructing data from compromised or encrypted systems
• Ransom payments — Some policies cover ransom payments, though this varies and is increasingly subject to conditions
• Notification costs — Mandatory breach notification under PIPEDA requires notifying affected individuals and the Privacy Commissioner

Third-Party Coverage (Claims Against You)

• Regulatory defence and fines — Legal costs and penalties resulting from privacy investigations
• Liability — Claims from customers, partners, or other parties affected by a breach
• Media liability — In some policies, coverage for defamation or intellectual property claims arising from a cyber event

Policies also typically include sublimits — caps on specific categories of coverage that may be significantly lower than the overall policy limit. Social engineering fraud, for example, often carries a sublimit that is a fraction of the total coverage amount.

When Claims Are Denied: What the Cases Show

The most instructive aspect of the cyber insurance market is not what policies promise to cover — it is what happens when a claim is filed and the insurer determines the policyholder did not meet its obligations.

Travelers v. International Control Services (2022)

In July 2022, Travelers Property Casualty Company of America filed a lawsuit in the U.S. District Court for the Central District of Illinois seeking to void the cyber insurance policy it had issued to International Control Services (ICS), an electronics manufacturer.

ICS had suffered a ransomware attack and filed a claim. Travelers' position was that ICS had stated on its insurance application that it used multi-factor authentication for remote access and privileged accounts. Travelers alleged this was materially false — MFA was not actually in place at the time of the application or the attack.

The case was resolved through a stipulated judgment — both parties agreed to void the policy. The policy was rescinded — voided from inception — meaning ICS had no coverage at all.

This case is significant because the insurer did not merely deny the claim. It voided the entire policy on the basis that the application contained a material misrepresentation about MFA.

Columbia Casualty v. Cottage Health (2015)

Columbia Casualty Company, a subsidiary of CNA Financial, issued a cyber liability policy to Cottage Health System, a California healthcare network. When Cottage Health suffered a data breach exposing approximately 32,500 patient records — a server containing protected health information had been left accessible on the internet without proper security controls — Columbia Casualty sued Cottage Health in 2015.

The insurer's argument: Cottage Health's application represented that it maintained specific security controls including encryption, access controls, and regular security assessments. Columbia Casualty alleged these controls were not actually in place.

The policy contained an exclusion for losses arising from a failure to maintain the minimum security practices described in the application. The case was settled confidentially, but the central principle was established — what you represent on your application matters, and insurers will investigate.

Mondelez v. Zurich (2018)

In June 2017, the NotPetya malware attack disrupted Mondelez International's global operations, damaging approximately 1,700 servers and 24,000 laptops. Mondelez filed a claim under its property insurance policy with Zurich American Insurance Company for approximately $100 million in losses.

Zurich denied the claim in 2018, invoking the policy's "hostile or warlike action" exclusion. Zurich's position was that NotPetya had been attributed to the Russian military as an attack on Ukraine, and therefore constituted a state-sponsored act of war excluded under the policy.

Two important distinctions: this was a traditional property insurance policy, not a standalone cyber policy. And the claim was denied not because of a security failing by Mondelez, but because of a policy exclusion the insured may not have fully anticipated.

The case settled in late 2022 on confidential terms. In its wake, Lloyd's of London issued guidance in 2022 (Market Bulletin Y5381) requiring that cyber insurance policies include clear exclusions for state-backed cyberattacks, effective March 2023.

City of Hamilton (2024)

Hamilton's ransomware incident is one of the most prominent Canadian examples. The city reported recovery costs of $18.3 million. Its cyber insurance claim was denied, with reports indicating that MFA had not been fully deployed across city systems — a requirement that cyber insurers increasingly treat as a baseline condition of coverage.

What Insurers Are Requiring

The cases above illustrate a broader pattern. Over the past several years, cyber insurers have substantially tightened the security requirements they expect policyholders to meet — both at application time and throughout the policy period.

The following controls are now commonly listed on cyber insurance applications, and in many cases, coverage will not be offered without them:

Multi-Factor Authentication

MFA is the most frequently cited requirement. Insurers typically require it on:

• Remote access (VPN)
• Email platforms (Microsoft 365, Google Workspace)
• Privileged and administrative accounts
• Backup systems and infrastructure

The Travelers v. ICS case demonstrated that misrepresenting MFA status on an application can result in the entire policy being voided. Hamilton's denied claim illustrated the consequences of incomplete MFA deployment at claim time.

Endpoint Detection and Response (EDR)

Traditional antivirus software is no longer considered sufficient by most insurers. Many now require managed endpoint detection and response — tools that continuously monitor devices for suspicious activity and can respond automatically.

Backup Strategy

Insurers increasingly ask about backup practices, including:

• Whether backups are offline, air-gapped, or immutable — not just cloud-synced
• Whether backup restoration has been tested
• Whether backup credentials are separate from production credentials
• Whether the organization follows the 3-2-1 rule (three copies, two storage types, one offsite)

These questions align directly with the backup practices outlined in the Canadian Centre for Cyber Security's Baseline Controls (BC.7).

Patch Management

Applications commonly ask whether the organization has a documented patching process and how quickly critical vulnerabilities are addressed. Some insurers specify a maximum timeframe — often 14 to 30 days — for patching critical and high-severity vulnerabilities.

Incident Response Plan

Many applications ask whether the organization has a written incident response plan (BC.1) that has been reviewed or tested within the past 12 months. This aligns with the first of the 13 Baseline Controls.

Email Security and Training

Insurers ask about email authentication protocols (SPF, DKIM, DMARC), email filtering, and whether employees receive regular security awareness training that includes phishing simulations.

The Canadian Market

Adoption Remains Low

Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime found that only 22% of Canadian businesses reported having cyber insurance — either as a standalone policy or as part of a broader coverage package. Among small businesses with 10 to 49 employees, adoption was lower still.

Meanwhile, 1 in 6 Canadian businesses were impacted by a cybersecurity incident according to the same survey, and total spending on recovery from cyber incidents across Canadian businesses reached $1.2 billion in 2023 — double the $600 million spent two years earlier.

Premiums Have Been Volatile

The Canadian cyber insurance market experienced significant premium increases in 2021 and 2022, with some organizations seeing year-over-year increases of 50% or more. By 2023 and 2024, the market began stabilizing, with more moderate adjustments — and in some cases, decreases for organizations that could demonstrate strong security postures.

This pricing dynamic reflects a market that is increasingly risk-differentiated: businesses with documented security controls pay less, and businesses without them either pay significantly more or cannot obtain coverage at all.

The Application Is a Security Assessment

One aspect that catches many businesses off guard is the application process itself. Cyber insurance applications have evolved from simple questionnaires into detailed security assessments. They ask specific, technical questions about MFA deployment, EDR coverage, backup architecture, patching cadence, access controls, and incident response readiness.

The answers provided on the application form the basis of the insurance contract. As the Travelers v. ICS and Columbia Casualty v. Cottage Health cases illustrate, inaccurate answers — whether intentional or not — can result in denied claims or voided policies.

What This Means in Practice

Several patterns emerge from the current state of the cyber insurance market:

Security controls and insurability are converging. The controls insurers require — MFA, EDR, tested backups, patching, incident response planning — closely mirror the Canadian Centre for Cyber Security's Baseline Controls. Organizations that implement the Baseline Controls are simultaneously building the security posture that insurers look for.

The application is a commitment. What a business states on its insurance application is treated as a material representation. If the stated controls are not actually in place when a claim is filed, the insurer has grounds to deny coverage or void the policy entirely.

Exclusions matter. Policies contain exclusions — for acts of war, for pre-existing conditions, for failure to maintain stated controls, and for late notification. Understanding what a policy does not cover is as important as understanding what it does.

Late notification can affect coverage. Most policies require prompt notification — often within 24 to 72 hours of discovering an incident. Having an incident response plan that includes the insurer's contact information and notification requirements is directly relevant to whether a claim proceeds smoothly.

The Baseline Controls Connection

The overlap between what cyber insurers require and what the Canadian Centre for Cyber Security's Baseline Controls define is substantial:

• BC.1 — Incident Response Planning: Insurers ask whether a written, tested plan exists
• BC.2 — Patch Management: Insurers ask about patching cadence and timeframes for critical vulnerabilities
• BC.5 — Authentication: MFA is the single most common insurance requirement — and the most common reason for denied claims
• BC.6 — Security Awareness: Insurers ask about employee training and phishing simulations
• BC.7 — Data Backup: Insurers ask about offline backups, tested restores, and the 3-2-1 rule
• BC.9 — Network Security: Insurers ask about segmentation, firewalls, and remote access controls

An organization that has honestly assessed and addressed these control areas is in a materially different position — both in terms of its ability to prevent an incident and its ability to support an insurance claim if one occurs.

Our free assessment evaluates your organization across all 13 Baseline Control areas. It takes under 10 minutes and shows where your security posture currently stands — information that is relevant whether or not you are considering insurance.