Cyber Liability Insurance in Ontario, Canada

Commercial Insurance | Boardwalk Insurance — A Division of Oracle RMS

Cyber liability insurance covers the financial losses your business incurs from data breaches, ransomware attacks, and other cyber incidents — including the cost of notifying affected customers, regulatory defence and fines, recovering compromised systems, paying ransom demands, and responding to third-party claims from individuals or businesses whose data was exposed. As every Canadian business that stores customer data, processes payments, or operates connected systems has cyber exposure, cyber liability is no longer a specialty coverage — it is an essential component of a complete commercial insurance program. Boardwalk Insurance serves Ontario businesses with cyber liability coverage from 30+ A-rated carriers. Serving all provinces except Quebec.

Get a Free Quote | Book a Meeting

5/5 Rating — 69+ Reviews | 500+ Clients Protected | 15+ Years Experience | Dedicated Claims Support

What Is Cyber Liability Insurance?

Cyber liability insurance covers financial losses arising from cyber incidents — data breaches, ransomware attacks, hacking, phishing, social engineering fraud, and accidental data exposure. It addresses both first-party losses (costs your business incurs directly in responding to and recovering from an incident) and third-party losses (claims made against your business by customers, employees, or partners whose data was compromised).

Standard commercial property and CGL policies do not cover cyber losses. Most commercial property policies exclude electronic data from the definition of covered property. CGL policies contain broad exclusions for electronic data claims. Without a standalone Cyber Liability policy, a significant cyber incident — a ransomware attack that locks your systems for two weeks, a data breach affecting thousands of customers, or a fraudulent wire transfer — falls entirely outside your insurance program.

Why Every Ontario Business Has Cyber Exposure

Cyber risk is not limited to technology companies. Any business that: - Stores customer names, addresses, payment card data, or health information - Processes electronic payments - Uses email, cloud services, or internet-connected systems - Employs staff and stores HR and payroll data - Operates point-of-sale systems - Relies on connected equipment or operational technology

...has cyber exposure. The size of the business does not determine whether it is a target — ransomware groups specifically target small and mid-size businesses because they typically have weaker defences than large enterprises and are more likely to pay a ransom to restore operations quickly.

What Does Cyber Liability Insurance Cover?

First-Party Coverages — Your Own Losses

Data Breach Response Costs: When a data breach occurs — whether through a hack, a lost laptop, or an accidental email to the wrong recipient — the business must notify affected individuals. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy legislation require notification of affected parties when there is a real risk of significant harm from a breach. Notification costs — identifying affected individuals, printing and mailing notices, setting up dedicated hotlines — can be substantial for businesses with large customer databases.

Forensic Investigation: After a cyber incident, a digital forensics firm must investigate to determine what happened, what data was accessed or exfiltrated, and how the attacker gained entry. Forensic investigation costs are typically covered under the first-party section of a cyber policy.

System Recovery and Remediation: The cost of restoring compromised or encrypted systems, recovering data from backups, and remediating the vulnerabilities that allowed the attack to succeed is covered under cyber liability insurance.

Ransomware and Extortion Payments: Many cyber policies include coverage for ransomware payment costs — the ransom itself, plus the associated costs of negotiating with threat actors and verifying decryption following payment. Ransomware payments are a deeply complex area of coverage with regulatory dimensions; businesses should understand their policy's ransomware provisions in detail before an incident occurs.

Business Interruption from Cyber Incident: Revenue lost and additional expenses incurred during the period when systems are unavailable or impaired following a cyber attack are covered under cyber business interruption coverage. This is distinct from standard BI insurance, which requires a physical damage trigger — cyber BI responds when systems are compromised by a cyber event, with no physical damage required.

Social Engineering and Fraud: Coverage for financial losses from social engineering attacks — CEO fraud, business email compromise, invoice manipulation, and fraudulent payment diversion. Social engineering attacks frequently result in large, difficult-to-recover wire transfers to fraudulent accounts. This coverage is sometimes written with sublimits separate from the main cyber limit.

Third-Party Coverages — Claims Against Your Business

Privacy Liability: Claims made against your business by individuals whose personal information was compromised in a breach — alleging that your business failed to adequately protect their data. These claims can arise as individual lawsuits or class actions, particularly following large-scale breaches.

Regulatory Defence and Fines: Defence costs and fines imposed by regulators following a data breach or privacy violation — including the Office of the Privacy Commissioner of Canada under PIPEDA, and provincial privacy commissioners. Regulatory investigations are increasingly common following significant breaches and can result in orders and penalties separate from civil litigation.

Network Security Liability: Claims from third parties — clients, vendors, or partners — who suffered losses because your compromised systems were used to attack or infect their systems, or because a failure in your network security disrupted services you provided to them.

Canada's Privacy Legislation and Breach Notification Requirements

Canadian businesses handling personal information are subject to a framework of federal and provincial privacy legislation that creates specific cyber obligations:

PIPEDA (federal): The Personal Information Protection and Electronic Documents Act applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activity. PIPEDA requires organizations to notify the Privacy Commissioner and affected individuals of breaches involving a real risk of significant harm. Failure to report can result in fines of up to $100,000.

Quebec's Law 25: Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) has among the most stringent privacy requirements in Canada, including mandatory breach reporting to the Commission d'accès à l'information and affected individuals, strict data minimization requirements, and fines of up to $25 million or 4% of worldwide turnover for serious violations. Organizations operating in Quebec or processing the data of Quebec residents must comply.

Ontario's Personal Health Information Protection Act (PHIPA): Healthcare organizations in Ontario that handle personal health information face specific breach notification and privacy obligations under PHIPA, enforced by the Information and Privacy Commissioner of Ontario.

Cyber liability insurance addresses the legal defence, regulatory response, and notification costs associated with compliance with these obligations following a breach.

Common Cyber Liability Claims in Ontario

Ransomware Attack — System Encryption and Business Interruption

Ransomware is the dominant cyber threat facing Canadian small and mid-size businesses. An attacker encrypts the business's systems and demands payment to provide the decryption key. The business cannot operate — its files, systems, and databases are inaccessible. Cyber liability insurance covers the forensic investigation, system remediation, ransom negotiation costs, potential ransom payment, and business interruption losses during the period of system unavailability.

Example: A manufacturing company in Ontario is hit by a ransomware attack on a Monday morning. All systems — ERP, email, production scheduling, and financial applications — are encrypted. The business cannot take orders, schedule production, or process payments. System recovery takes 11 days. Forensic investigation, incident response, system restoration, and business interruption losses total $380,000. Cyber liability insurance responds.

Data Breach — Customer Payment Card Data

A retail business or restaurant suffers a breach of its point-of-sale system that exposes customer payment card data. The business must notify all affected cardholders, engage a forensic firm to investigate the breach and demonstrate compliance with PCI DSS (Payment Card Industry Data Security Standard), and respond to claims from card issuers for fraudulent charges.

Example: A restaurant's POS system is compromised by malware for approximately eight weeks before detection. Approximately 4,200 customer payment cards are exposed. Forensic investigation, card brand assessments, notification, and call centre costs total $185,000. Third-party claims from card issuers for reissuing costs add $40,000.

Business Email Compromise — Fraudulent Wire Transfer

An employee receives an email that appears to come from the company's CEO or CFO, directing an urgent wire transfer to an unfamiliar bank account. The employee complies, and the funds — often $50,000 to $500,000 — are transferred to a fraudulent account before the fraud is detected. Recovery of fraudulently transferred funds is rarely possible through the banking system; cyber insurance's social engineering coverage is the primary financial recovery mechanism.

Example: A construction company's accounts payable clerk receives an email appearing to come from the CEO, requesting an urgent $180,000 wire transfer to a new supplier. The email address is a convincing spoof of the CEO's actual address. The transfer is made and the fraud is discovered two days later. The funds are unrecoverable through the bank. Cyber social engineering coverage responds to the $180,000 loss.

Frequently Asked Questions About Cyber Liability Insurance in Ontario

Does my CGL policy cover cyber losses?

No. Standard Commercial General Liability policies contain broad exclusions for electronic data, data breaches, and cyber incidents. CGL covers physical injury and property damage — and in most policy forms, electronic data is explicitly excluded from the definition of tangible property. A data breach, ransomware attack, or cyber fraud event generates losses that CGL will not cover. Cyber liability insurance must be purchased separately.

Do small businesses need cyber liability insurance?

Yes. Small businesses are disproportionately targeted by ransomware and phishing attacks precisely because they typically have weaker security controls than large enterprises and are more likely to pay a ransom to restore operations quickly. A small retailer with a POS system, a professional services firm with client data on a shared drive, or a medical clinic with patient records on a networked system — all have meaningful cyber exposure. The cost of a cyber incident is not proportional to the size of the business; forensic investigation, system recovery, and notification costs are largely fixed regardless of whether the victim is a 10-person firm or a 1,000-person company.

What is the difference between cyber liability and crime insurance?

Cyber liability insurance covers losses from cyber attacks, data breaches, and technology-related fraud — including social engineering (business email compromise). Crime or Fidelity insurance covers employee theft, forgery, and — in some forms — certain types of fraud. There is overlap in the social engineering space, and it is important to confirm which policy responds to BEC and invoice fraud. Some businesses carry both cyber and crime coverage with clear coordination between the two; others address fraud under cyber with a social engineering endorsement. Your broker should map which coverage responds to each fraud scenario your business faces.

How much does cyber liability insurance cost in Ontario?

Cyber liability premiums in Ontario vary based on annual revenue, the volume and sensitivity of data stored (payment cards, health data, and personal information each carry different risk ratings), the business's security posture (multi-factor authentication, endpoint protection, and backup practices all affect pricing), and claims history. A small professional services firm might pay $800 to $2,000 per year for $1 million in cyber coverage. A mid-size manufacturer or retailer with significant customer data might pay $3,000 to $8,000 or more for $2 million in coverage. The cyber insurance market has hardened significantly since 2020 as ransomware losses increased, and pricing is now more directly tied to security controls than it was previously.

What security controls do cyber insurers require in Ontario?

The minimum security controls expected by most cyber insurers before quoting include: multi-factor authentication (MFA) for remote access and email; regular offline or immutable backups of critical data; endpoint detection and response (EDR) software on all devices; and documented access controls limiting administrator privileges. Insurers increasingly require these controls as a condition of coverage, not just as a pricing factor. Businesses that cannot demonstrate these baseline controls may face coverage exclusions, higher deductibles, or declination.

Why Ontario Businesses Choose Boardwalk Insurance for Cyber Liability

Boardwalk Insurance places cyber liability insurance for Ontario businesses across retail, professional services, healthcare, manufacturing, technology, and construction sectors. We access 30+ A-rated carriers and work with clients to understand their specific data environment, security posture, and regulatory obligations before recommending coverage structures.

Get a Free Quote | +1-416-477-9771 | sales@myboardwalk.ca