Who This Guide Is For

This comparison is for business owners and IT decision-makers evaluating whether cyber insurance is worth the cost. If you've been putting off the decision, had your premiums go up, or been told by a client or vendor that you need coverage, this guide lays out what's involved, including the IT controls you'll need regardless of whether you buy a policy.

The Case for Cyber Insurance

Breach Costs Are Real

The average cost of a data breach for organizations with fewer than 500 employees was $3.31 million globally in 2024 (IBM Cost of a Data Breach Report, 2024). For Canadian SMBs specifically, the range is more modest but still painful: $120,000 to $400,000+ when you include forensic investigation, legal counsel, customer notification, business interruption, and reputation damage.

These aren't abstract numbers. A ransomware attack that encrypts your file server means your team can't work. A compromised email account that sends fraudulent invoices to your clients means legal liability. A breach of personal information triggers PIPEDA notification requirements and potential regulatory action.

Insurance doesn't prevent these incidents. It covers the financial fallout when they happen.

What a Typical Policy Covers

Cyber insurance policies generally cover two categories:

First-party coverage (your direct costs):

• Forensic investigation to determine what happened
• Data recovery and system restoration
• Business interruption losses while systems are down
• Ransom payments (where legally permitted and advisable)
• Notification costs to affected individuals
• Credit monitoring for affected parties
• Public relations support

Third-party coverage (claims against you):

• Legal defense costs from lawsuits by affected parties
• Regulatory fines and penalties
• Settlement payments
• Media liability (in some policies)

Most policies also give you access to an incident response team: forensic investigators, breach attorneys, and PR advisors who have handled hundreds of incidents. When you're in the middle of a breach, having experienced people on call is worth more than the money.

What's Typically NOT Covered

Read your policy carefully. Common exclusions include:

• Pre-existing vulnerabilities you knew about but didn't fix
• Unpatched systems where the vendor had released a fix
• Acts of war: some insurers have invoked this for state-sponsored attacks
• Intentional acts by your own employees (insider threats may or may not be covered depending on the policy)
• Social engineering losses (wire fraud, BEC scams): sometimes covered only with a specific endorsement
• Infrastructure failures unrelated to a cyber event
• Retroactive dates — incidents that occurred before your policy start date

The exclusions matter. An insurer can deny a claim if they find you weren't maintaining the security controls you attested to on your application.

The Case for Self-Insuring

Self-insuring means accepting the financial risk of a cyber incident yourself instead of transferring it to an insurer. For some businesses, this makes sense:

• Very small operations (under 10 employees) with minimal sensitive data and low revenue may find that premiums aren't justified by their actual risk exposure
• Cash-rich businesses that can absorb a six-figure loss without threatening operations
• Businesses with minimal client data that primarily handle internal operations

But be honest about your risk. "We're too small to be a target" is not a security strategy. Automated attacks don't check your employee count. Ransomware doesn't care about your revenue.

What Insurers Require (and Why It Matters Either Way)

Here's the part that surprises most businesses: the IT controls insurers require are the same controls you should have regardless of whether you buy a policy.

The Controls Most Insurers Look For

Multi-factor authentication (MFA) Required on email, VPN/remote access, and admin accounts. This is non-negotiable for most insurers in 2024-2026. MFA blocks over 99% of credential-based attacks (Microsoft Digital Defense Report, 2024).

Endpoint detection and response (EDR) Traditional antivirus isn't enough. Insurers want EDR tools that can detect and respond to threats in real time. Products like Huntress, CrowdStrike, or SentinelOne are common examples.

Regular offsite backups with tested recovery Backups must be stored offsite (or in the cloud), isolated from your main network, and regularly tested. "We have backups" doesn't satisfy insurers. "We tested a full restore last quarter and it completed in 4 hours" does.

Security awareness training Employee phishing simulations and regular training sessions. Most breaches start with a person clicking something they shouldn't have. Insurers know this.

Patch management A documented process for applying security updates within a reasonable timeframe: typically 30 days for standard patches, 72 hours for critical vulnerabilities.

Incident response plan A written plan that defines who does what during a security incident. Doesn't need to be a 50-page document. A clear rundown of roles, communication procedures, and escalation paths is sufficient.

Why These Controls Matter Without Insurance

Even if you decide not to buy a policy, implementing these controls dramatically reduces your risk:

• MFA stops most credential-based attacks
• EDR catches threats that bypass email filters and firewalls
• Tested backups mean ransomware is an inconvenience, not a catastrophe
• Trained employees are less likely to click phishing links
• Patched systems have fewer exploitable vulnerabilities
• An incident response plan means you don't waste the critical first hours of a breach figuring out what to do

The controls are valuable independently of insurance. Insurance is the financial backstop for when good controls aren't enough.

The Application Process

Applying for cyber insurance is more involved than it used to be. After the ransomware surge of 2020-2022, insurers tightened their requirements considerably.

What to Expect

1. Questionnaire: You'll fill out a detailed form about your IT environment: number of employees, revenue, industry, what security controls you have, whether you've had prior incidents. Be honest. Misrepresentations can void your policy.

2. Technical verification: Some insurers verify your answers. They may scan your external attack surface, check if MFA is enabled on your email domain, or ask for evidence of specific controls.

3. Underwriting: The insurer evaluates your risk profile and sets your premium. Better controls = lower premiums. A business with MFA, EDR, tested backups, and employee training will pay meaningfully less than one with just antivirus.

4. Policy issuance: Once approved, you receive your policy with specific terms, coverage limits, deductibles, and exclusions.

How to Prepare

Before applying:

• Enable MFA on all email and remote access accounts
• Deploy EDR on all endpoints
• Verify your backup and recovery process works (test it)
• Run at least one phishing simulation for your team
• Document your incident response procedures
• Know your patch management cadence

If you're missing several of these, get them in place before applying. Applying with weak controls either gets you denied or results in higher premiums and more exclusions.

Cost Factors

Several factors affect your premium:

• Industry: Healthcare, financial services, and legal firms pay more due to regulatory exposure and sensitive data
• Revenue: Higher revenue generally means higher premiums (more at stake)
• Employee count: More people = more attack surface
• Claims history: Prior incidents increase your premium
• Security controls: Stronger controls reduce your premium
• Coverage limits: Higher limits cost more (most SMBs carry $1M-$5M in coverage)
• Deductible: Higher deductible = lower premium (typically $2,500-$25,000 for SMBs)

For Calgary businesses specifically, premiums have been rising alongside the national trend, but businesses with strong IT controls are still getting reasonable rates.

Our Honest Recommendation

For most Calgary businesses with 10+ employees that handle any client data, cyber insurance is worth the cost. The annual premium is a fraction of what a breach would cost, and the IT controls required to qualify make your business more secure regardless.

The businesses we'd hesitate to recommend insurance to are very small operations (under 10 people) that handle minimal sensitive data and have low revenue. For those businesses, the premium might not be justified, but the security controls still are.

If you're unsure where your IT stands relative to what insurers require, take our free IT security assessment. It evaluates your environment against the same frameworks insurers use (NIST, CIS Controls) and shows you exactly where the gaps are.

We don't sell cyber insurance. We implement the IT controls that help you qualify for it and keep your premiums down. For details on our security capabilities, see our cybersecurity services or contact us for a free consultation.