Canadian organizations entered 2026 facing a cyber threat landscape that looks very different from just a few years ago – and much of the risk now sits squarely on the shoulders of professionals making judgment calls in the boardroom and the brokerage, not just in the IT department.
For Miki Ho (pictured), head of underwriting, Canada, at Resilience, the most urgent shift is happening inside extortion claims.
“The transformation in extortion tactics over the last year should put all Canadian organizations on notice,” he told Insurance Business Canada.
Where ransomware once centred on encrypting systems and trading decryption keys for payment, threat actors are increasingly bypassing encryption altogether. Ho pointed to a marked change in Resilience’s own data: “We saw a dramatic shift in our portfolio in the second half of the year, with data theft extortion-only events rising from 49% of extortion claims in the first half of 2025 to 65% of extortion claims in the second half of the year.”
That evolution has direct implications for professional risk. Paying to avoid publication of stolen data does not necessarily restore control or remove regulatory obligations. Ho warned that in these cases, “payments do not always lead to the deletion of data, and companies will still need to deal with notification obligations as well as potential reputational damage.”
Those obligations sit with decision‑makers – boards, executives, risk managers and their advisers – who must approve strategy, weigh ransom demands, and manage disclosure to stakeholders. Missteps can quickly be framed as failures of governance or duty of care.
Ransomware itself, Ho stressed, is not disappearing: “Ransomware is not going away as a threat vector, but we expect this trend to continue accelerating in 2026.” The professional risk, in other words, lies in how organizations prepare for and manage these events, not whether they can wish them away.
The rise of AI‑enabled threats – deepfakes, scalable phishing, automated exploitation – adds another layer of complexity. Yet Ho does not see them as rewriting the fundamentals of underwriting.
“Deepfakes, scalable phishing and AI-automated exploits are concerning, of course, but they don’t fundamentally change the way we should think about cyber risk or how to underwrite it,” he said.
Instead, they amplify existing weaknesses. Many of the most effective attacks, whether AI‑driven or not, seek to exploit behaviour, not technology, by tricking staff, customers or vendors into granting access or transferring funds.
“In Canada and elsewhere, the key is to make sure policyholders have appropriate controls, incident response plans and are creating a cybersecurity culture through ongoing training,” Ho said. Rudimentary social engineering and many AI-driven attacks aim at what has traditionally been the weakest link: human behavior, he added.
That framing makes cyber maturity a professional‑risk issue for leaders responsible for training budgets, policy enforcement and culture. If awareness programs are under‑resourced or inconsistent, or if incident‑response plans exist only on paper, the argument from plaintiffs and regulators will be that governance – not just firewalls – fell short.
Ho’s prescription is clear: “Canadian organizations can strengthen their employees’ and users’ security awareness and make them part of their front-line cyber defense strategy.”
Another area where professional responsibilities are tightening is third‑party and supply‑chain risk. Breaches at service providers and software vendors can cascade quickly into client environments, raising questions about how those relationships were selected and supervised.
“Vendor risk is a key concern in the Canadian market,” Ho said.
Resilience’s approach, he explained, is to give clients a structure for understanding and managing the exposure tied to their key partners. “We provide a framework for evaluating and managing risk that comes from vendors and supply chain partners,” he said.
Security ratings offer only a snapshot. Ho argued that “where security ratings provide a static point-in-time assessment of a provider’s risk, we aim to identify and monitor key vendors so when a cyber incident does occur – however rare or frequently with a vendor – we can help clients react and avoid losses.”
That requires a higher degree of transparency between insureds and their carriers. Ho acknowledged the instinct to share as little as possible, but challenged it: “It’s often against clients’ best instincts to share more information, but the more we understand, the better loss control we can help provide.”
For boards and risk managers, vendor governance is increasingly hard to separate from their professional obligations. Due diligence, contractual controls, and ongoing monitoring are no longer “nice‑to‑haves” when a third‑party failure can trigger regulatory investigations, shareholder questions and reputational damage.
Ho also flagged a subtler danger: the gap between perceived and actual coverage when markets are soft and wordings are broad. That is fertile ground for professional‑liability disputes involving brokers and risk advisers.
“More so than gaps, what we see is that when there is ample capacity in the market and providers offer broad coverage, that can lead to a sense of safety that your policy will cover losses from any potential incident,” he said.
In those conditions, organizations sometimes focus more on ticking compliance boxes than on understanding their residual exposure.
That is where “coverage creep” meets underinsurance: expectations are set in a benign market, then tested when carriers rein in terms, sublimit certain perils, or apply stricter conditions after a wave of losses. For brokers, the professional‑risk question becomes whether they have clearly explained the limits of protection and how program design needs to evolve with the threat.
Ho’s advice is to maintain discipline even when capacity is abundant: “It’s important in these times to maintain a focus on loss control and reducing your company’s financial exposure to risk.”
When asked what he would change in Canadian cyber programs this year, Ho’s answers read like a checklist for a defensible professional standard of care.
Looking ahead, Ho argues that brokers and risk managers will be judged less on whether they bought a cyber policy and more on how well they understood and communicated the risk. That starts with staying close to what is happening across the business and its ecosystem – not only current operations, but upcoming changes such as acquisitions, new digital initiatives or shifts in key suppliers that could quietly expand the organization’s exposure beyond what its usual internal assessments capture.
He also stresses the importance of putting hard numbers around those exposures so the threat can be discussed with executives and boards in the same financial language as other strategic risks. In his view, cyber programs are strongest when the insurance relationship reflects that broader mindset: partners who look at risk holistically, stay engaged over the life of the policy, and work with clients on loss‑prevention and response, rather than appearing only at renewal to talk limits and price.
Each point ties cyber directly to professional judgement: staying abreast of business change, presenting quantified risk to leadership, and selecting partners who can support continuous improvement rather than just sell limits.
