If your small business handles customer payment information or personal data, or would be seriously disrupted by even a few days of downtime, cyber insurance is genuinely worth carrying. It covers costs a general liability policy doesn't — incident response, data recovery, business interruption, legal fees, and customer notification — but it is not a substitute for basic security hygiene, and most policies now require controls like MFA to actually pay a claim.
Cyber insurance in Canada sits in an odd spot for most small business owners: enough has been written about ransomware headlines that everyone knows the risk is real, but far less has been written honestly about what a policy actually covers, what it costs at small-business scale, and — critically — what gets a claim denied after the fact. Large enterprises have dedicated risk teams to work through all of this. A five-person accounting firm or a twenty-person retailer usually doesn't, which is exactly the gap this guide is meant to close.
This guide is written specifically for the business owner asking a practical question — not "what is cyber insurance" in the abstract, but "should I actually spend the money on this, and if so, what do I need to have in place first." That second question is the one that determines whether a policy is a genuinely useful safety net or an expensive piece of paper that turns out not to pay when it matters.
Who wrote this guide
This article was written and reviewed by IT Cares certified technicians based on our work helping Canadian small businesses close the security gaps insurers actually check for during underwriting and after a claim. We don't sell insurance policies — we help businesses meet the security requirements insurers expect, which is a different, complementary role.
What Cyber Insurance Actually Covers
Policies vary between insurers, but most Canadian cyber liability policies are built around two broad categories of cost: money your business spends responding to its own incident, and money you owe because someone else — a customer, a regulator, a partner — was harmed by it.
First-party costs (your own business's expenses)
- Incident response: Forensic investigation to determine what happened, how the attacker got in, and what data or systems were affected — this alone can be a significant expense even before anything else is addressed.
- Data recovery: Restoring systems and data from backup, or rebuilding what can't be restored, following a ransomware attack or destructive breach.
- Business interruption: Lost income and extra expenses incurred while your systems are down or operating in a degraded state, often one of the largest components of a real claim for a business that depends on its systems to operate.
- Ransomware payment and negotiation: Some policies cover the cost of a specialized negotiator and, depending on the policy, the ransom payment itself — though this varies significantly and is never something to assume without confirming the specific wording.
Third-party costs (obligations to others)
- Legal liability: Costs of defending against or settling claims from customers, partners, or other third parties harmed by the breach.
- Regulatory fines and penalties: Costs associated with regulatory investigations or penalties tied to privacy law obligations, where insurable under Canadian and provincial law.
- Customer notification costs: Under Canadian privacy law, businesses that experience a breach involving personal information generally have an obligation to notify affected individuals and, in some cases, regulators — the cost of doing this properly (mailing, call centers, credit monitoring offers) adds up quickly and is a specific, insurable line item.
What cyber insurance does NOT do
This is the part sales conversations tend to skip. Cyber insurance does not replace basic security hygiene — it is a financial backstop for when hygiene fails, not a substitute for having it in place at all. Just as importantly, many policies explicitly require minimum security controls to even pay out: multi-factor authentication, regular tested backups, and timely patching are increasingly listed as conditions of coverage, not optional recommendations. A business that buys a policy and does nothing else to improve its security posture may find, at the worst possible moment, that the policy it paid for doesn't actually respond to the claim.
📊 IT Cares field note: The small businesses we see get the most value out of a policy are the ones that treat the application process itself as a security checklist — implementing MFA, testing backups, and documenting an incident response plan specifically to qualify for coverage, then keeping those same controls in place afterward rather than letting them lapse once the policy is bound.
Not sure if you meet an insurer's security requirements?
Our certified technicians assess your MFA coverage, backup reliability, and patch status, and close the gaps insurers actually check for — remotely, from $119.99.
Cyber Insurance vs. Cybersecurity: Two Different Investments
It's worth being precise about how these two relate, because the marketing around both sometimes blurs the line in ways that don't serve a business owner well. Cybersecurity — MFA, endpoint protection, backups, employee training, network monitoring — is what reduces the odds of an incident happening and limits the damage if one does. Cyber insurance is what absorbs the financial impact when, despite reasonable security, an incident happens anyway. Neither one is a substitute for the other, and a business that has excellent security but no insurance is exposed to the same catastrophic downside cost as one with poor security and a policy that won't pay out.
The practical relationship between the two is closer to a feedback loop than two separate purchases. Improving your security posture — implementing MFA, testing backups, running basic phishing training — directly lowers your premium and widens the range of insurers willing to write you a policy at all, since underwriters increasingly treat weak security as a direct predictor of claim frequency and severity. At the same time, going through the insurance application process itself often surfaces security gaps a business didn't know it had, since insurers now ask pointed, specific questions (Is MFA enabled on all remote access? When was your last backup restore tested? Do you have a documented incident response plan?) that a general IT conversation might not have prompted on its own.
📊 IT Cares field note: We've had more than one small business client come to us specifically because a cyber insurance application asked a security question they couldn't confidently answer — "is MFA enforced on all admin accounts" is a common one. That single question, more than any general security pitch, is often what finally gets basic controls implemented after months of "we'll get to it eventually."
For a Canadian small business owner deciding where to start, the honest order of operations is: implement the baseline security controls first (see the readiness checklist below), then shop for a policy with those controls already documented. Doing it in reverse — buying a policy first and treating security as an afterthought — tends to produce exactly the kind of gap between what an application claims and what's actually in place that leads to a denied claim later, covered in more detail further down this guide.
Real Cost Ranges for Canadian SMB Cyber Insurance
Nobody can give you an accurate quote without underwriting your specific business — anyone promising an exact number without knowing your revenue, industry, claims history, and security posture is skipping a step. What follows are general, realistic ranges based on business size, meant to help you budget for a conversation with a broker, not to replace getting an actual quote.
| Business profile | Typical annual premium range (CAD) | What drives the range |
|---|---|---|
| Micro business (1-5 employees, minimal customer data) | Roughly $500 – $1,500 | Low revenue and limited data exposure keep premiums near the entry tier, though a business handling any payment data will sit at the higher end |
| Small business (6-20 employees, some customer/payment data) | Roughly $1,000 – $4,000 | Employee count, revenue, and whether payment card data or health/financial records are handled all push premiums up within this band |
| Growing SMB (21-50 employees, regular customer data handling) | Roughly $3,000 – $10,000+ | Larger data footprint, more endpoints, and often a prior claims history or lack of one becomes a bigger swing factor at this size |
| Regulated or high-sensitivity SMB (legal, healthcare, financial services, any size) | Often meaningfully above standard tiers | Regulatory obligations, sensitivity of the data held, and higher potential notification/liability costs outweigh employee count as the driving factor |
Factors that move your premium up or down
- MFA usage: Widespread multi-factor authentication is one of the single strongest premium-reducing factors insurers currently weigh, since it directly blocks the most common attack path (compromised credentials).
- Backup practices: Regular, tested, and ideally offline or immutable backups reduce the insurer's expected payout in a ransomware scenario, which is reflected in the price.
- Past incidents: A prior breach or claim, even a minor one, tends to increase premiums or narrow available coverage on renewal, similar to any other insurance line.
- Industry: Healthcare, legal, financial services, and any business regularly handling payment card data are priced higher due to the sensitivity of what's at stake and the regulatory obligations attached to it.
- Security awareness training: Insurers increasingly ask whether staff receive any regular phishing or security training, since human error remains the most common entry point for a breach.
Don't shop on price alone
The cheapest policy that technically checks the "we have cyber insurance" box is not the same as a policy that will actually pay out cleanly when you need it. Pay close attention to sub-limits (some policies cap ransomware payment coverage far below the total policy limit), retroactive dates, and exactly which security controls are listed as conditions of coverage — these details matter more than the headline premium.
Who Genuinely Needs Cyber Insurance
Employee count is a weak predictor of whether cyber insurance makes sense for a given business — what actually matters is the data you hold and how dependent your operation is on your systems staying up.
Businesses that genuinely need it
- Any business handling customer payment card data — retailers, e-commerce operators, restaurants, and service businesses taking card payments directly all carry real exposure if that data is compromised.
- Professional services holding sensitive client data — accounting firms, law offices, and consultancies handling financial records, legal documents, or confidential business information for clients.
- Healthcare and allied health practices — clinics, dental offices, and similar practices handling personal health information carry both a higher breach cost and specific regulatory notification obligations.
- Businesses that would be crippled by a few days of downtime — a logistics coordinator, an online store during a peak season, or any business where systems being offline for 48-72 hours means real, direct revenue loss rather than mere inconvenience.
- Businesses with vendor or contract requirements — increasingly, larger clients or landlords require proof of cyber coverage as a condition of doing business, making this a practical requirement even where it isn't a legal one.
Lower-risk cases where it's a closer call
A very small business with no digital customer data, minimal reliance on connected systems, and no regulatory exposure — a single-operator trade business that keeps paper records and takes cash or e-transfer only, for example — has a genuinely weaker case for carrying a dedicated policy, though even here, a compromised email account can still lead to costly fraud (like a fake invoice scam) that a policy would otherwise help absorb. The right call depends on an honest look at what data you actually hold and how a bad week would affect your business specifically, not a generic rule of thumb based on headcount alone.
Remote and hybrid teams change the calculation
A business with staff working from home, connecting from personal devices, or accessing systems over public Wi-Fi carries a meaningfully larger attack surface than the same business operating entirely from a single, IT-managed office network — and this is a factor insurers increasingly ask about directly during underwriting. If your team went remote or hybrid at any point and network access policies weren't formally updated to match, that gap is worth closing before applying, since "how do employees access company systems remotely, and is that access secured with MFA" is now a standard underwriting question rather than an edge case.
Broker vs. Direct: How to Actually Shop for a Policy
Cyber insurance can be purchased either through a commercial insurance broker or directly from certain insurers, and for a small business without an in-house risk manager, the broker route is generally the more practical choice, even though it may add a small cost to the transaction. A broker who regularly places cyber policies for businesses your size can compare coverage across multiple insurers, flag exclusions and sub-limits that aren't obvious from a marketing page, and — importantly — help translate the security-control questions on an application into something your business can actually answer accurately.
Whichever route you take, a few questions are worth asking directly before signing anything, since the answers vary meaningfully between insurers and policies even at similar price points:
- Is ransomware payment specifically covered, and is there a sub-limit lower than the overall policy limit? Some policies cap this category well below the headline coverage amount.
- Does the policy require using the insurer's approved incident-response vendor, or can you use your own IT provider? This affects how quickly and smoothly you can respond during an actual incident.
- What is the notification window after discovering a suspected incident? Missing this window, even with a legitimate incident, can jeopardize the claim.
- Which specific security controls are listed as conditions of coverage, not just recommendations? Get this in writing, since it's exactly what an investigator will check after a claim is filed.
- Is business interruption coverage based on actual lost income or a fixed daily rate? The two can produce very different payouts depending on your business's actual revenue pattern.
Renewal is also worth treating as an active decision rather than an automatic formality. Insurers reassess pricing and terms annually based on the current threat landscape and your own claims history, and the security controls that qualified you for a policy two years ago may no longer meet a current insurer's minimum bar — MFA requirements, in particular, have tightened considerably in a short period. Revisiting the readiness checklist below at each renewal, not just at initial purchase, keeps your coverage aligned with what the insurer actually expects.
How to Get Cyber Insurance Ready
Insurers are increasingly explicit about the controls they expect before writing a policy, and getting these in place first often makes the difference between an affordable premium and a declined or heavily restricted application. Work through this checklist before you apply, and keep it in place afterward — these controls also directly reduce your odds of ever needing to file a claim in the first place.
Enable multi-factor authentication everywhere
Turn on MFA on email, remote access, admin accounts, and any system holding customer or financial data. This is the single most commonly required control on current cyber insurance applications, and its absence is one of the most common reasons claims get denied.
Verify your backups actually work
Don't just confirm backups are running — actually test a restore. An untested backup that fails during a real ransomware incident defeats the entire purpose, and insurers increasingly ask whether restores have been tested, not just whether a backup job exists.
Write a basic incident response plan
Document who gets called, who has authority to take systems offline, and how employees report something suspicious. It doesn't need to be long or elaborate — it needs to exist, be written down, and be known to the people who would actually use it.
Get current on patch management
Unpatched, known vulnerabilities are one of the most common root causes insurers find during a post-breach investigation. A regular patching cadence for operating systems, browsers, and business software closes a gap attackers actively scan for.
Run basic employee security training
Phishing remains the single most common entry point for a small business breach. Brief, regular training on recognizing phishing attempts and reporting suspicious emails measurably reduces incident likelihood and is increasingly a specific question on insurance applications.
Answer the application honestly
Never overstate your security posture on a cyber insurance application. Misrepresenting controls you don't actually have in place — claiming MFA is enabled everywhere when it isn't, for example — is one of the most common reasons insurers cite for denying a claim after an incident occurs.
Want help closing these gaps before you apply?
IT Cares' security audits assess exactly the controls insurers check for — MFA coverage, backup reliability, patch status, and basic incident-response readiness — and our cybersecurity services help close any gaps found before you submit an application, not after a claim is denied.
Common Claim Denial Reasons
A policy that never pays out when it's actually needed is worse than no policy at all, because it creates false confidence. These are the most common, genuinely avoidable reasons insurers cite for denying or reducing a claim.
Misrepresenting security controls on the application
If the application states MFA is enabled organization-wide, backups are tested regularly, or endpoint protection is deployed everywhere, and a post-breach investigation finds otherwise, the insurer has strong grounds to deny the claim on the basis of material misrepresentation — regardless of how the breach actually occurred. This is the single most preventable reason for denial, and it comes down entirely to answering the application accurately in the first place.
Unpatched, known vulnerabilities
If forensic investigation traces the breach to a vulnerability that had a patch available for months (or longer) before the incident, insurers frequently treat this as a failure of reasonable security maintenance rather than an unavoidable attack, and may deny or reduce the payout accordingly.
No MFA when the policy required it
Many current policies list MFA as an explicit condition of coverage for remote access and email, not merely a recommendation. A breach that occurred through an account without MFA enabled, when the policy required it, is one of the most commonly cited reasons for a denied or reduced claim in recent years.
Failing to follow the incident response requirements in the policy
Some policies require using an approved incident-response vendor or notifying the insurer within a specific window after discovering a breach. Handling the incident entirely in-house, or waiting too long to notify the insurer, can jeopardize coverage even when the underlying incident itself would otherwise have been covered.
Excluded categories the business didn't realize applied
Some policies carve out specific exclusions that aren't always obvious on a first read — acts of war or state-sponsored attacks (a category insurers have tightened significantly following several high-profile disputes over whether a given ransomware group counted as state-affiliated), incidents involving unsupported or end-of-life software, or breaches originating from a third-party vendor rather than the policyholder's own systems. Reading the exclusions section as carefully as the coverage section, ideally with a broker who can explain what each exclusion means in plain language, prevents an unpleasant surprise at the exact moment coverage is needed most.
Waiting too long to report a suspected incident
Most policies specify a notification window — sometimes as short as 24 to 72 hours from when the business first became aware of a suspected incident. A business that spends a week internally investigating before contacting the insurer, hoping to have more answers before making the call, risks technically breaching a policy condition regardless of how the underlying incident is eventually resolved. When in doubt about whether something qualifies as reportable, the safer move is almost always to notify the insurer early and let them help guide next steps, rather than deciding on your own that it isn't serious enough yet.
Ready to Meet the Security Requirements Insurers Expect?
IT Cares helps Canadian small businesses close the MFA, backup, and patching gaps insurers actually check for — before you apply, and before a claim is ever on the line.
Comments (3)
The claim denial section was the wake-up call I needed. We were about to apply saying MFA was "mostly" in place — turns out that's exactly the kind of thing that gets a claim denied later. Fixed it first.
Good honest take on cost — every insurer site I visited before this wanted my email before showing any number at all. Appreciated seeing realistic ranges upfront.
We're a 4-person shop and always assumed cyber insurance was only for bigger companies. The client-data angle changed my mind since we do hold customer payment info.
Leave a Comment