Cyber insurance covers incident response costs, business interruption losses, and legal obligations. But in 2026, insurers check what you actually deployed: without MFA everywhere, tested backups, EDR, and a response plan, your claim risks being denied. In Quebec, Law 25 adds distinct obligations: keep an incident log for five years, notify the CAI and affected individuals in case of serious risk. An insurance policy helps you pay the bill, but does not relieve you of the log.
Heads up! We know you know, but Blue Fox is neither an insurance broker nor a law firm, and does not have the expertise to provide legal or financial advice. What follows is the result of research on a thorny topic of the day.
Happy reading! 🦊
In June 2019, a rogue Desjardins employee exfiltrated the personal information of 4.2 million members over 26 months. Outcome: a class action settlement approved by the Quebec Superior Court reaching up to $200.8 million. This is the incident that woke up the Quebec cyber insurance market.
In November 2024, the files of a manufacturing SMB in Levis, Quebec, were encrypted by the LockBit 3.0 ransomware. Demand: USD $85,000 in bitcoin. No national media coverage, no press release, just an owner picking up the phone to call his insurer. And discovering that the cyber insurance he thought he had wasn't quite what he expected.
The Canadian cyber insurance market is expected to grow from USD $590 million in 2025 to USD $1.14 billion by 2030. This growth is not due to insurer generosity: it's the frequency and severity of incidents pushing premiums up. And with that comes a tightening of underwriting conditions. We walk through what this means for you.
What cyber insurance covers
A good policy protects you on several fronts. Incident response covers digital forensics, incident response specialists, and the costs of notifying affected individuals. When ransomware hits, these experts bill by the hour and the bill adds up fast.
Business interruption compensates for lost revenue when systems are down for days. Legal and regulatory costs cover lawyers' fees and obligations linked to Law 25 in Quebec or PIPEDA federally. Some policies also cover ransom negotiations and payment, along with crisis communications to manage media fallout and reputational damage.
That's what it covers in theory. The practice is often less simple.
What it doesn't cover
Exclusions are numerous and often buried in the fine print. Here's what comes up most often.
| Covered | Generally excluded |
|---|---|
| Ransomware and extortion | Acts of war and state-sponsored attacks |
| Digital forensic investigation | Known unpatched vulnerabilities |
| Business interruption | Social engineering fraud (often optional) |
| Notification to affected individuals | Third-party vendor failures |
| Legal costs | Known pre-existing vulnerabilities |
| Crisis communications | Non-compliance with required security measures |
The trickiest exclusion isn't even on this list: it's misrepresentation. If you checked "yes" on the questionnaire for MFA but didn't actually deploy it everywhere, the insurer can deny your claim. And it happens: roughly 27% of cyber claims are denied or partially paid due to exclusions or gaps between what was declared and reality.
Three rulings that changed the rules
Three recent decisions are worth reading carefully before signing. They are the cases where the contract's blind spots became visible.
Merck v. ACE American Insurance (2024 settlement): the act-of-war exclusion. When the NotPetya ransomware hit Merck in 2017, losses totalled USD $1.4 billion. Insurers refused, invoking the "hostile or warlike acts" exclusion and arguing NotPetya was attributed to Russia. After six years of litigation, Merck won at trial and on appeal, and insurers settled in January 2024, days before oral arguments at the New Jersey Supreme Court. What this means for you: since that decision, insurers have rewritten the act-of-war exclusion in most cyber policies. Read the new wording. It can be far broader than you think.
EMOI Services v. Owners Insurance (Ohio Supreme Court, 2022): the intangible that doesn't count. This American software SMB paid $35,000 to recover its encrypted files. Its "businessowners" policy with an electronic component was triggered. Denied the same day. The Ohio Supreme Court ruled: the policy required "direct physical loss or damage" to electronic equipment, and encrypted files are intangible, not physically damaged. The trap here isn't insurer bad faith: it's that EMOI had never bought a real cyber policy, just general business coverage. Many SMBs are in the same situation and don't realize it until claim day.
CiCi Enterprises v. HSB Specialty Insurance (US Federal Court, Texas, February 2026): when the sublimit doesn't hold. In 2022, the CiCi chain suffered a cyberattack costing $1.2 million, including $400,000 in ransom. HSB tried to invoke a $250,000 ransomware sublimit. The judge ruled in CiCi's favour: the sublimit was drafted too loosely, the $3 million aggregate cap applies. The lesson isn't that you should be ready to sue your insurer. No SMB wants to end up there. The lesson is that sublimits are worth only as much as their clarity. Before signing, have your broker or a lawyer who understands them review the endorsements.
Ce que les assureurs exigent — et vérifient vraiment
The era of the one-page form and signed cheque is over. According to Marsh McLennan's 2025 report, 99% of cyber insurance submissions now ask precise questions about MFA. Insurers want screenshots, logs, backup test results, written policies. Oversight doesn't stop at underwriting: an audit can be triggered mid-policy, not only at renewal.
Six controls show up in nearly every questionnaire.
Multi-factor authentication (MFA) everywhere: email, cloud, VPN, remote access, admin accounts. MFA on the boss's email only is no longer accepted.
Backups regular, tested (ideally every quarter), and ideally immutable. A backup that ransomware can encrypt like the rest isn't really one.
Endpoint protection (EDR/MDR) : a classic antivirus is no longer enough. Insurers want a modern solution with behavioural detection, ideally with human oversight.
Employee training and awareness, documented. According to the Canadian Centre for Cyber Security, nearly 60% of Canadian SMBs hit by ransomware were compromised through phishing or stolen credentials. The human is the most exploited link, and insurers know it.
Incident response plan, written, tested, known by the team. A plan in a drawer has no value if nobody knows who to call at 2 a.m.
Patch management in short timelines (often 30 days for critical patches). No sympathy for a Fortinet or Cisco vulnerability still unpatched six months after disclosure. That's exactly the profile ransomware groups exploit first.
What it costs in Canada
For a Canadian SMB with moderate risk, annual premiums generally range between $500 and $2,500, but the spread is wide depending on the profile.
Company size and revenue matter: the larger the exposure, the higher the premium. Industry too: healthcare, retail, and financial services pay more due to the sensitivity of the data they handle. The volume of personal information stored directly influences the amount. And finally, your security practices: an organization with a proactive posture gets lower premiums, sometimes significantly lower.
The real cost to consider is that of an incident without insurance. A six-figure forensic investigation, customer notifications, lawyers, several days of disruption: the bill easily exceeds a million for a 30-person SMB. A $2,000-a-year premium takes on a different flavour in that context.
Law 25: your obligations remain your obligations
In Quebec, Law 25 imposes clear obligations in the event of a confidentiality incident presenting a risk of serious harm: notify the Quebec Access to Information Commission without delay, notify affected individuals, and keep an incident log for five years. Administrative monetary penalties can reach $10 million or 2% of worldwide revenue (whichever is greater). In the case of criminal prosecution, it rises to $25 million or 4%.
Cyber insurance helps you pay the bill linked to these obligations. It does not relieve you of meeting them. And a CAI inspection isn't settled with a cheque from your insurer: it's your name that appears in the public sanctions registry.
Before you shop
The baseline controls to have in place before even filling out a cyber insurance questionnaire:
- MFA deployed on all accounts (email, cloud, VPN, admin)
- Automated backups, tested at least once per quarter, ideally immutable
- EDR or MDR active on all endpoints, not an antivirus from 2015
- Patch policy applied within 30 days for critical updates
- Incident response plan, written, tested, known by the team
- Awareness training, documented, ideally annual
- Law 25 incident log ready to receive an incident, not to create in a panic
Every box checked improves your file, lowers your premium, and most importantly protects your coverage when a claim hits.
Our approach at Blue Fox
We don't sell insurance and we don't collect broker commissions. What we do is put in place the controls insurers now require: MFA deployment, immutable backup configuration, EDR on endpoints, system hardening, documented incident response plans. We use open-source solutions as much as possible. You keep control over your tools and aren't locked into a vendor.
When the time comes to fill out your insurer's questionnaire, we help you document what is actually in place. Because misrepresentation is the number-one reason claims get denied, and the one that can turn a manageable incident into uncovered loss.
On offre des audits de sécurité et des services de durcissement directement alignés sur les exigences des cyberassureurs canadiens. On documente tout pour que votre dossier soit solide quand viendra le temps de souscrire — ou de réclamer. On en jase
Cyber insurance is a useful tool, but it's neither a substitute for security nor a shortcut to Law 25 compliance. Combined with strong controls and operational rigour, it can make the difference between a manageable incident and a permanent shutdown. Without controls, it's an expense that risks paying nothing when it would matter most.
Sources
Desjardins settles 2019 data breach class-action lawsuit for up to nearly $201M— CBC News
EMOI Services LLC v. Owners Insurance Co.— Cour suprême de l'Ohio (2022)
Merck Settles Coverage Dispute With Insurers Over War Exclusion in NotPetya Attack— Insurance Journal
Court Refuses to Slice Up CiCi's Cyber Extortion Coverage— National Law Review (2026)
Cyber Claims 2025: Data privacy remains a challenge while ransomware lingers, Marsh
Cybersecurity remains a tick-the-box exercise despite the rise in cyberattacks— KPMG Canada
Administrative monetary penaltiesCommission d'accès à l'information du Québec
Cyber Insurance in 2025: Controls Insurers Actually Verify, Sirkit
Cyber Insurance: How Canadian Businesses Qualify, RevNet
How Much Does Cyber Insurance Cost in Canada?— NeoLore Networks
Avoiding The Most Common Cyber Insurance Claim Denials— GB&A Insurance
Cyber Insurance Audit Requirements: 2025–2026 SMB Guide— IntelTech