Small and medium-sized enterprises (SMEs) in Canada may be dangerously underestimating their exposure to cyber risk, leaving many without adequate defences or insurance coverage, according to a new survey commissioned by the Insurance Bureau of Canada (IBC).
The survey found that fewer than half of SME respondents (48%) believe their business is vulnerable to a cyber attack or data breach. Only 6% strongly agreed their company could be at risk, despite data from the Business Development Bank of Canada showing that nearly three-quarters of small businesses have already experienced a cyber security incident.
While two-thirds of SMEs expressed confidence in their ability to withstand a breach, only 47% said they were prepared for one. Even more concerning for insurers, uptake of cyber coverage remains low. Just 22% of respondents carry any form of cyber insurance, and only 12% hold a dedicated stand-alone policy.
By contrast, larger corporations are increasingly embedding cyber risk into board-level strategy, often backed by stand-alone cyber programs with higher coverage limits, dedicated incident response teams and structured risk quantification. The gap suggests that many SMEs are lagging behind in resilience planning, despite facing similar threats.
Mahan Azimi, director of catastrophic and emerging risk policy at IBC, said the consequences of a breach are often underestimated. Regular business insurance typically does not cover the cost of forensic investigators, legal counsel or public relations support, all of which may be required after an incident. Stand-alone cyber policies, he said, are designed to cover these expenses as well as losses from income disruption and recovery efforts.
Emerging technologies are adding another layer of complexity. Seventy-two per cent (72%) of SME respondents said artificial intelligence (AI) and other tools could make protecting against cyber risk more difficult, up from 65% last year. Yet only 45% have training or policies in place to help employees identify AI-generated scams.
Third-party risks also stand out. More than one in four SMEs (27%) said they are worried about lawsuits tied to breaches, particularly as reliance on outsourced IT providers, cloud services and vendors grows. This mirrors challenges faced by larger corporations, though SMEs typically lack the resources and dedicated teams that help mitigate such risks.
IBC has developed a free Cyber Insurance Guide to help business owners understand coverage options, the application process and practical steps to improve cyber resilience.
Azimi said that for SMEs, cyber incidents should be viewed not just as IT disruptions but as business crises with legal, financial and reputational consequences. He noted that larger organizations are increasingly treating cyber resilience as a competitive differentiator, and SMEs need to take similar steps if they want to withstand a growing wave of attacks.
