Cyber Insurance Facts vs Myths: 10 Common Myths Businesses Still Believe

Morison Insurance Hero Header

How to Read This Guide 

  • Every myth is immediately followed by the fact that replaces it. 
  • Facts reflect current cyber risk trends, not assumptions from a decade ago. 
  • While specific coverage details vary by policy and insurer, the principles outlined here are consistent across the Canadian market. 
  • If any section raises questions about your own coverage, that's a good sign it's worth a conversation with a broker. 

Why Cyber Insurance Myths Persist

Cyber threats have evolved faster than most business owners' understanding of the insurance that covers them. Many of the assumptions businesses carry about cyber insurance were formed years ago, before ransomware became routine, before data breach costs soared, and before even a small restaurant or accounting office became a worthwhile target for automated attacks. The result is that outdated thinking leads to underinsurance, or no coverage at all. 

Getting the cyber insurance facts right matters because the gap between myth and reality is where financial risk lives. This article separates common misconceptions from the actual facts, using current data and real-world scenarios, so Canadian businesses of all sizes can make informed decisions about their commercial insurance coverage.

MYTH 1: Cyber Attacks Are Rare

FACT: Cyber incidents are now one of the most common business risks Canadian organizations face. 

The idea that cyber attacks are rare simply doesn't hold up against current data. Breaches, ransomware incidents, and phishing campaigns have become a routine feature of the modern threat landscape, affecting organizations across every sector and every size. Criminals have industrialized the process, running automated scans that probe thousands of systems simultaneously in search of any exploitable weakness. 

IBM's 2025 Cost of a Data Breach Report found that the average cost of a Canadian data breach rose 10.4% to CA$6.98 million, even as global breach costs declined, a sign that Canadian organizations are both more frequently targeted and slower to contain incidents than their global peers. 

MYTH 2: Cyber Criminals Don't Target Small Businesses

FACT: Small businesses are frequently targeted precisely because they tend to have weaker defences. 

Modern cyber attacks are largely automated and opportunistic. Criminals don't manually select their victims, they run tools that scan networks at scale, looking for the path of least resistance. Small businesses, which often lack dedicated IT security teams or robust controls, make attractive targets. 

Verizon's 2025 Data Breach Investigations Report found that ransomware appeared in 88% of SMB breach incidents, compared to just 39% at larger organizations. The assumption that flying under the radar offers protection is one of the most dangerous cyber insurance myths a business owner can hold. 

MYTH 3: My Business Doesn't Have Valuable Data 

FACT: Almost all business data has value to cyber criminals, often in ways that aren't obvious. 

Criminals aren't only looking for financial records. Employee names, email addresses, and login credentials can be used to launch social engineering attacks against your staff or customers. Invoicing systems can be manipulated to redirect payments. Email account access can be used for business email compromise fraud. Even basic operational data can be held for ransom, bringing your business to a standstill until you pay to regain access. If your business uses a computer, processes an invoice, or stores any information about another person, you have data worth protecting. 

MYTH 4: Cyber Losses Are Covered by General Liability Insurance 

FACT: CGL policies do not cover most cyber-related losses, and many explicitly exclude them. 

This is one of the most financially costly cyber insurance myths for businesses to discover after the fact. Commercial general liability insurance is designed for claims involving third-party bodily injury, property damage, and advertising injury. It was not written with data breaches, ransomware payments, or forensic investigations in mind, and most CGL policies either exclude these events entirely or offer no meaningful coverage for them. Businesses that assume their existing commercial general liability insurance will respond to a cyber incident often find themselves facing the full cost of recovery with no insurer support. A commercial cyber insurance policy is required to provide the proper protection.

MYTH 5: Cyber Insurance Only Covers Lawsuits 

FACT: Cyber insurance typically goes far beyond litigation support, covering breach response from start to finish. 

A cyber insurance policy is more accurately thought of as an incident response resource than a litigation backstop. 

Coverage often includes access to cybersecurity forensics experts to investigate the breach, legal counsel to navigate notification requirements, public relations support to protect your reputation, and assistance with the regulated breach response process under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Having these resources available immediately after an incident can make a significant difference in how quickly, and how completely, your business recovers

MYTH 6: Strong IT Security Means I Don't Need Cyber Insurance 

FACT: Cyber insurance complements your security measures. It doesn't replace them, and security alone isn't enough. 

Good cybersecurity practices are essential, but no system eliminates risk entirely. The most consistently exploited vulnerability in any organization isn't a software flaw; it's people.

According to Verizon's 2024 Data Breach Investigations Report, the human element was involved in the majority of confirmed breaches, through phishing, social engineering, and accidental data disclosures, regardless of how well-configured the underlying systems were.

Cyber insurance exists for the incidents that happen despite your best efforts. Think of it the same way you think of fire suppression systems and property insurance; one doesn't make the other unnecessary.  

MYTH 7: My IT Vendor's Insurance Covers Me 

FACT: Businesses remain responsible for their own data, regardless of who was managing it. 

Outsourcing your IT operations doesn't outsource your liability for the data in your care. Most IT vendors include contract clauses that significantly limit what they can be held responsible for, even when a breach originates from their systems or negligence. The shared responsibility model that governs most cloud and managed service arrangements places meaningful obligations on your side as well. Without your own cyber insurance policy, you may have no practical recourse for recovery costs even when a third party was at fault. 

MYTH 8: Indemnification Clauses Fully Protect My Business 

FACT: Legal costs accumulate even when indemnification applies, and enforcing a contract isn't free. 

Indemnification clauses are meaningful protections, but they don't make a breach costless. If you need to enforce that clause in court, you still need legal representation. If the other party disputes the claim, you're in litigation while your business recovers from an incident. Cyber insurance provides the financial backing to navigate these situations without those legal costs compounding the damage already done by the breach itself. 

MYTH 9: Cyber Insurance Is Too Expensive 

FACT: The cost of a single incident is almost always far greater than the annual cost of coverage. 

Cyber insurance premiums vary based on the size of your business, the data you hold, and your existing security practices, but for most small and mid-sized businesses, the annual cost is a fraction of what a single incident would cost to resolve out of pocket.  

Consider that breach-related expenses can include forensic investigation, legal counsel, regulatory notifications, public relations support, ransom negotiation, and business interruption losses, all before any litigation is factored in, and even incidents well below that average routinely run into hundreds of thousands of dollars.  

Reviewing your coverage options with a broker is the most reliable way to understand what cyber insurance would actually cost your specific business. 

MYTH 10: Basic Cyber Coverage Is Enough 

FACT: Minimal or off-the-shelf coverage often leaves significant gaps that only become apparent during a claim. 

Not all cyber insurance policies are the same, and a policy that looks adequate on paper may exclude specific scenarios such as internal threats, supply chain incidents, social engineering, or certain regulatory obligations, that are directly relevant to your business.

Coverage needs vary based on industry, the type of data you handle, your reliance on third-party vendors, and the nature of your operations. A business that processes payments online has different exposure than a professional services firm that handles sensitive client files. 

Understanding what your policy actually covers, and what it doesn't, is as important as having a policy at all. 

When Cyber Insurance Is Worth Reviewing 

If any of the following describes your business, a conversation with a broker about cyber insurance coverage is well worth your time: 

  • You handle customer or employee personal information in any form. 
  • Your business accepts online payments or stores payment data. 
  • You rely on cloud-based tools, third-party software, or managed IT services. 
  • Your operations depend heavily on email, digital communications, or connected devices. 

For businesses that fit these descriptions, which is most businesses operating today,  commercial cyber insurance is worth reviewing as part of your overall risk management program. 

Separating Cyber Insurance Myths from Reality 

Understanding the facts is the first step to protecting your business from modern cyber risks. Cyber insurance isn't a product reserved for tech companies or large enterprises; it's a practical, increasingly necessary layer of protection for any business that operates digitally, handles data, or works with third-party vendors. 

If you have questions about what cyber insurance coverage would look like for your business, the commercial brokers at Morison Insurance are here to help you understand your options and find coverage that fits your actual risk exposure, not just the minimum on offer. 

Copyright ©  2026  Morison Insurance Brokers Inc.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram