A few years ago, cyber liability insurance was an optional add-on that most small businesses skipped. That has changed dramatically. Ransomware attacks, phishing breaches, and business email compromise incidents now hit companies of all sizes — including small and mid-sized businesses in Metro Vancouver — and the financial impact of a single incident can be devastating without coverage.

At the same time, insurers have significantly tightened their requirements. Getting a policy now requires demonstrating actual security controls, not just checking a box.

What Cyber Liability Insurance Actually Covers

A standard cyber liability policy for a Canadian business typically includes several key areas of coverage:

  • Incident response costs: Forensic investigation, breach notification, legal advice, and public relations support following a cyberattack or data breach.
  • Business interruption: Lost revenue and extra expenses incurred while your systems are down or recovering from an attack.
  • Ransomware and extortion payments: Coverage for negotiation costs and, in some policies, the ransom payment itself (though this is increasingly subject to conditions).
  • Data recovery: Costs to restore or recreate lost or corrupted data after an incident.
  • Third-party liability: Claims from clients, customers, or partners whose data was compromised in a breach that originated from your environment.
  • Regulatory fines and penalties: Some policies cover fines from PIPEDA, PHIPA, or other privacy regulators following a reportable breach — though this varies significantly by policy.
Important: Standard commercial general liability (CGL) insurance does not cover cyber incidents. If your business handles client data, patient records, financial information, or credit card numbers and relies on your general business insurance alone, you are likely unprotected.

What Insurers Are Now Requiring to Qualify

Insurers have significantly raised the bar for coverage in recent years. Businesses that cannot demonstrate basic security controls are either being declined or offered limited coverage at much higher premiums. Here is what most underwriters are now checking:

Multi-Factor Authentication (MFA)Required on email, VPN, remote access, and administrative accounts. This is now non-negotiable for most insurers.
Endpoint Detection & Response (EDR)Basic antivirus is no longer sufficient. Insurers want behavioural detection tools that can identify and contain threats in real time.
Tested BackupsNot just that backups exist, but that restores have been tested. Offline or immutable backups are increasingly required for higher coverage limits.
Patch ManagementEvidence that operating systems and software are updated on a regular schedule and that known vulnerabilities are addressed promptly.
Privileged Access ControlsAdministrator accounts should be separate from daily user accounts. Access to sensitive systems should be restricted to those who need it.
Email SecuritySPF, DKIM, and DMARC records configured correctly. Anti-phishing policies in Microsoft 365 or Google Workspace.
Incident Response PlanA documented process for what to do if a breach occurs — who to call, who makes decisions, and how to contain and report an incident.
Security Awareness TrainingEvidence that staff have received phishing simulation and security training within the past 12 months.

What Does Not Qualify as Cyber Coverage

Even with a policy in place, claims can be denied if:

  • You represented your security controls inaccurately on the application (e.g., claimed MFA was in place when it was not)
  • A vulnerability was known and left unpatched for an extended period
  • The incident was caused by a contractor or third party and your due diligence was insufficient
  • Your backups were stored on the same network as the compromised systems and were also encrypted by ransomware

How a Managed IT Provider Helps You Qualify

Working with an MSP directly improves your insurability. At Hexafusion, we help BC businesses implement and document the exact controls that underwriters look for:

  • MFA deployment across Microsoft 365, VPN, and admin accounts
  • EDR rollout and management on all endpoints
  • Backup deployment, monitoring, and quarterly restore testing
  • Email security configuration (DMARC, DKIM, SPF, anti-phishing policies)
  • Documented patch management process
  • Security awareness training programs
  • Written incident response procedures

When you renew or apply for cyber insurance, we can provide documentation of the controls in place in your environment — which both supports your application and often reduces your premium.

Find Out If Your Business Would Qualify Today

Our free 2-minute security assessment covers the exact controls insurers check. Get your score instantly and see where your gaps are before your next renewal conversation.

Take the Free Security Quiz    Talk to our team

← Back to Blog