'Serious financial and legal issues': Less than one-quarter hold cyber insurance
A new survey commissioned by the Insurance Bureau of Canada (IBC) has found that small and medium-sized businesses (SMEs) across the country may be dangerously underestimating their exposure to cyber threats—even as the financial consequences of cyber attacks continue to rise.
Despite cyber crime reaching record levels globally, fewer than half (48%) of Canadian SMEs believe their business is vulnerable to a cyber attack or data breach. Only 6% of respondents strongly agree that their business is at risk, even though research from the Business Development Bank of Canada (BDC) shows that 73% of small businesses have experienced a cyber security incident.
Confidence among business owners remains high, with 66% expressing faith in their ability to withstand a data breach or website shutdown. However, the IBC survey suggests that this confidence may be misplaced:
- 47% say their business is prepared for a cyber attack or data breach
- fewer than half (48%) have implemented any form of cyber defence
- 22% of respondents carry cyber insurance
- 12% have a dedicated stand-alone cyber insurance policy.
Rising costs, changing cyber attack patterns
Recent data from Statistics Canada underscores the growing financial impact of cyber incidents. In 2023, total spending on recovery from cyber security incidents doubled to $1.2 billion, up from approximately $600 million in 2021. Medium-sized and small businesses each spent about $300 million on recovery, while large businesses accounted for nearly half of total recovery spending.
While the proportion of Canadian businesses impacted by cyber security incidents has declined—from 21% in 2019 to 16% in 2023—certain attack methods are becoming more prevalent. Identity theft incidents rose by 11 percentage points since 2021, affecting nearly a third (31%) of impacted businesses.
Scams and fraud remain the most common method, affecting half (50%) of impacted businesses, while ransomware attacks were reported by over 1 in 8 (13%) of those affected in 2023.
The majority of ransomware victims (88%) did not make a ransom payment. Of those who did, most (84%) paid less than $10,000, but a small percentage (4%) paid more than $500,000.
Policies, training and insurance lag behind
Despite increasing concerns about cyber risks—especially those related to artificial intelligence (AI)—preparedness measures remain limited. The IBC survey found that only 45% of SMEs have policies and training in place to help employees spot AI-generated scams, even as concern about AI-driven threats rose from 65% last year to 72% this year.
Just over a quarter (26%) of Canadian businesses had written policies for cyber security in place in 2023, unchanged from 2021. The use of cyber risk insurance has increased, with 22% of businesses now carrying such policies, up from 16% in 2021. Coverage typically includes direct losses from incidents (53%), restoration expenses (44%), business interruptions (39%), and financial losses (38%).
“Cyber threats can lead to serious financial and legal issues for SMEs – issues that regular business insurance often doesn't protect them from,” said Mahan Azimi, Director, Catastrophic and Emerging Risk Policy at IBC. “Responding to an attack may require hiring experts like forensic investigators, lawyers and public relations professionals, which can be extremely costly for businesses that don't have dedicated cyber insurance. A stand-alone cyber policy can also help cover costs associated with lost income, recovery efforts and legal liabilities.”
Third-party cyber risk is also a growing concern, as more businesses rely on vendors, cloud services, and outsourced IT providers. Twenty-seven percent of respondents expressed worry about potential lawsuits stemming from a cyber breach, highlighting the legal vulnerabilities that can arise if a vendor breach compromises customer data.
Reporting and recovery: a mixed picture
Reporting of cyber incidents to police services increased in 2023, according to Statistics Canada, with about 1 in 8 (13%) impacted businesses making reports, up from 10% in 2021.
The leading reasons for reporting were incidents involving theft of money or ransom demands (56%), and theft of personal or financial information (33%).
Among those who did not report all incidents, the most common reasons were that incidents were resolved internally (55%), considered too minor (35%), or handled through IT consultants or contractors (31%).
“A cyber breach is not just a compromised website or lost data; it's a business crisis that can impact your reputation and harm anyone whose data you may hold,” said Azimi.
