Cyber Insurance Trends: 2026 Privacy Breach Insights – Part 5
This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. Explore the full series.
Over the past year, the rising costs of data breaches, AI-leveraged cyber attacks, and heightened regulatory scrutiny have created a complex cyber security landscape where cyber insurance forms a critical component of enterprise risk management. At the same time, market and legal developments are reshaping both insurer expectations and policyholder obligations. Understanding the impact of these trends and evaluating coverage options and policy exclusions that are best suited to the specific risks facing a company is critical when selecting the appropriate cyber insurance products.
The following key developments will contribute to shaping the cyber and data protection insurance landscape for 2026:
- Escalating Cost of Breaches: The financial risks of cyber security incidents remain severe, as the average cost of data breaches continues to increase. Canadian organizations paid an average of “CA $6.32 million per data breach” in 2024, with the financial sector paying the highest average at $9.28 million.[1] Given the direct and indirect financial impact that can stem from breaches, companies should consider their insurance provider as a part of their incident response plan and be prepared to contact them immediately following a data breach incident.
- AI Cyber Attacks as a Growing Peril: Cyber attacks are becoming more sophisticated, as generative AI tools enable “more convincing and scalable social engineering attacks” such as deepfakes.[2] Threat actors are also able to leverage AI tools to increase their capacity to discover and exploit technical vulnerabilities. Cyber insurance products are beginning to evolve to reflect these new exposures, with some carriers offering “stand-alone AI policies” or specific endorsements to cover AI-based losses.[3]
- Evolving Ransomware Tactics: Ransomware remains a major cyber crime threat and the primary driver of large claims, with criminal enterprises becoming highly professionalized, globalized, and adaptive through the use of double and triple extortion tactics.[4] While the number of reported cyber extortion events declined by one-third, extortion payments remain significant, with average payments for Canadian victims reaching $1.13 million in 2023.[5]
- The SME Insurance Gap: Small and medium-sized enterprises (SMEs) remain significantly underinsured, with estimates suggesting that only about 12% of Canadian small businesses have standalone cyber insurance coverage.[6] This is particularly concerning as the majority of SME respondents believe their business is too small to be targeted, despite being increasingly targeted due to having weaker defenses.[7]
- Stricter Underwriting Requirements: Policy requirements are increasingly requiring companies to implement and maintain baseline cyber security controls such as multi-factor authentication (MFA), performing regular data backups, and providing employee training as conditions of coverage.[8] Failure to implement MFA was recently used as grounds by an insurer to deny a Canadian organization’s claim after they experienced a major cyberattack.[9]
- Defined Scopes of Coverage: Coverage and policies should be selected in a way that adequately mitigates the costliest risks and most prominent vulnerabilities facing an organization and the sector it operates in. Companies should explore and understand whether covered costs include coverage for ransom payments, wire fraud, costs to restore systems from backups, legal expenses, and credit monitoring and identity theft insurance. Insurance for business losses stemming from a data breach, which may be significantly larger than the cost of a ransom payment, tends to be offered as a standalone product. Companies must understand whether insurance policies appropriately cover losses for a particular corporate structure, and recognize that different deductibles may apply for parents and subsidiaries. Similarly, companies should also be aware of when claims would be more adequately covered under other insurance policies, such as errors and omissions or general liability insurance.
- Heightened Regulatory Risk: Regulatory oversight is tightening globally. In Quebec, Law 25 has introduced strict breach‑reporting obligations and significant administrative and penal fines for non‑compliance, while at the federal level, Bill C‑8 and the proposed Critical Cyber Systems Protection Act (CCSPA) would impose enhanced incident‑reporting obligations on designated operators of federally-regulated critical infrastructure that would be backed by significant fines. At the same time, policy coverage for regulatory risk has generally “become more restrictive” as underwriters grow concerned about increasing costs from “investigations, settlements, fines, and penalties.”[10] See Part 2 of this series for a more detailed discussion of these regulatory developments.
Canadian courts have issued recent notable decisions that may be helpful in evaluating the scope of exclusions applicable to cyber insurance products:
- Panasonic Canada Inc. v XL Specialty Insurance Company, 2025 ONSC 4407: Following a malware attack, Panasonic sought indemnity for costs including the purchase of 140 replacement laptops to prevent reinfection of the repaired network.[11] Panasonic sought coverage for the cost and other expenses under its policy, including the cost of hiring security and legal firms to disconnect its systems and perform forensics. Panasonic made their claims under policy sections for third party liability, data breach response, and crisis management, and first party coverage, which stipulated that a 1.5 million USD retention should apply.[12] The insurer argued that a “$3 million USD retention” should apply because the incident was a “ransomware event loss”, governed by a specific endorsement in the policy (Endorsement 23).[13] The Court held that the lower retention applied, given the restrictive definitions in Endorsement 23. Further, that absent a clear limitation, policyholders may choose a claim path that is “more advantageous to themselves” and that policy covered the purchase of new laptops as a “reasonable and necessary” mitigation expense.[14]
- Emond v. Trillium Mutual Insurance Co., 2026 SCC 3: While Emond pertains to a home insurance policy, the Supreme Court offered useful guidance on contractual interpretation for insurance policies more broadly. The court held that endorsements are not “standalone contracts” but are “built on the foundation of the policy,” meaning general exclusions continue to apply unless the endorsement explicitly states otherwise.[15] Policyholders should understand that the “nullification of coverage doctrine” has a high bar; it only applies if an exclusion would “completely defeat the very objective” of the coverage, rather than merely reducing the amount of recovery.[16]
This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. As threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To help you stay ahead of these challenges, each part of this series provides actionable insights on data breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
What we mean by “data breach”
When people hear “data breach,” they often think only of incidents involving personal information. In this series, we use the term more broadly. We’re looking at any security incident where sensitive or confidential data is accessed, exfiltrated, published, changed, wiped, or made unavailable without authorization – whether that data belongs to individuals or to the business itself. That includes everything from intellectual property and financial records to operational systems taken offline by ransomware.
To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover, or the head of our national national Insurance and Reinsurance Group, Hartley Lefton.
[1] Canadian Cybersecurity Network, The State of Cybersecurity in Canada 2025 (2025), p. 54.
[2] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), p. 12.
[3] Gallagher, 2025 Cyber Insurance Market Conditions Outlook (2025), p. 6.
[4] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), p. 4, 13.
[5] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), pp. 4, 13; Marsh, Cyber Claims 2025: Data Privacy Remains a Challenge While Ransomware Lingers (27 January 2026).
[6] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), p.20.
[7] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), p. 19.
[8] Insurance Bureau of Canada, The Canadian Cyber Insurance Market (October 2025), pp. 3, 9.
[9] KPMG Canada, How Audit Committees Are Leading Amid Evolving Cyber Risks (4 December 2025).
[10] Gallagher, 2025 Cyber Insurance Market Conditions Outlook (2025), p. 6.
[11] Panasonic Canada Inc. v XL Specialty Insurance Company, 2025 ONSC 4407 [Panasonic], ¶1.
[15] Emond v. Trillium Mutual Insurance Co., 2026 SCC 3, ¶36 [Emond].
[16] Emond, ¶53, 66, 110. See our blog summarizing the case: https://www.mccarthy.ca/en/insights/blogs/canadian-appeals-monitor/no-guarantees-supreme-court-defines-policy-limits-of-guaranteed-rebuilding-coverage.
