Cybersecurity has become a top concern for businesses worldwide as cybercriminals grow increasingly sophisticated, using advanced tools like AI and deepfakes to carry out more complex and damaging attacks. While nations around the world are rapidly strengthening their defences to combat these escalating threats, Canada is falling behind. Unlike many countries that have quickly adapted to evolving tech risks, Canada lacks an adequate national cybercrime centre, leaving businesses more vulnerable than ever.
This gap underscores the critical role the private cyber insurance sector plays in bridging the cybercrime void. Yet, the adoption of cyber insurance among Canadian businesses remains alarmingly low, prompting the question: Is Canada prepared to confront the growing tide of cybercrime? The outlook isn’t promising.
While countries like the United States, with its Internet Crime Complaint Center, and the UK, with Action Fraud, have established centralized bodies for cybercrime reporting and investigations, Canada continues to struggle with a fragmented and underdeveloped approach.
In 2018, the Canadian government unveiled its National Cybersecurity Strategy, which included the creation of a dedicated unit, the National Cybercrime Coordination Centre (NC3), operated by the RCMP. Yet, years later, the unit’s fraud reporting tool remains incomplete. Currently, Canadians rely on the Canadian Anti-Fraud Centre (CAFC) to report cybercrime, while the RCMP’s reporting system, promising a more streamlined process, is still in its beta phase—only able to manage a maximum of 25 reports per day.
"Canada has a massive cybersecurity problem, largely because it lacks the government resources to effectively combat cybercrime and stay ahead of criminals," pointed out Lindsey Nelson (pictured), head of cyber development at CFC.
As threat actors recognize this vulnerability, the absence of robust government support makes Canadian businesses an increasingly attractive target.
To make matters worse, the low adoption of cyber insurance among Canadian businesses is becoming an escalating concern. A report from the Insurance Bureau of Canada reveals that only 5% of Canadian businesses have cyber insurance policies in place—an alarming statistic given the mounting costs of cyber threats.
The impact is striking: the amount spent by Canadian businesses on recovering from cyberattacks doubled from approximately $600 million in 2021 to $1.2 billion in 2023.
The reasons for the low uptake of cyber insurance are varied, but a key factor, according to Nelson, is the financial strain faced by small businesses—who make up the majority of the Canadian economy. “Many simply cannot afford the cybersecurity measures they need to adequately protect themselves,” she explained.
“It’s a huge challenge to convert non-buyers and clearly demonstrate what cyber insurance can do - not just in terms of responding after an incident, but in proactively safeguarding businesses before something happens,” Nelson shared.
Much of the unaffordability surrounding cyber insurance stems from the aftermath of a hard market cycle. “In 2020, we reached a point where businesses started proactively asking for cyber insurance, rather than us having to introduce it to them. However, at that time, demand outstripped supply, making many products wildly inaccessible, and rates skyrocketed. As a result, companies that were finally ready to purchase cyber insurance were told they couldn’t, or faced significant challenges in doing so,” said Nelson.
Due to this, Nelson added that there are now fewer policyholders in the market compared to 2020, further exposing Canadian businesses.
Even as Canada attempts to recover ground with initiatives like the NC3, other countries often step in to help Canada track down cybercriminals. The US, the UK, and Australia have all been involved in multinational efforts to dismantle cybercrime operations in Canada.
Earlier this year, an investigation led by Australia and the UK successfully shut down LabHost, a phishing-as-a-service platform targeting financial institutions in Canada. “Other countries are now doing the work on behalf of Canada in absence of there being proper infrastructure in place,” Nelson said.
While the RCMP's NC3 unit is a positive step, Canada’s pace of change has historically been too slow. Cybercrime moves at warp speed, but government efforts to combat it are not moving fast enough to stay ahead.
“We need to rethink how we lead the fight against cybercrime and how we beat these threat actors,” Nelson said. “Canada is still working towards meeting that standard, let alone exceeding it.”
