Canada's Rajiv Gupta, head of the Canadian Centre for Cyber Security, put his name on a joint statement this week alongside intelligence chiefs from the US, UK, Australia and New Zealand. The message was direct: AI is "fundamentally transforming both offensive and defensive cyber capabilities," and the timeline is not years - it is months.
Canada's cyber insurance market is on a strong growth trajectory - projected to surpass US$590 million and reach US$1.14 billion by 2030 according to industry analysis - but that growth is happening against a threat environment moving faster than most pricing models reflect.
The Five Eyes warning follows a pattern of escalating concern the Canadian market has already been tracking. At the NetDiligence conference in Toronto earlier this year, cyber leaders warned that Anthropic's Mythos model and associated research should be seen as "a genuine turning point rather than an abstract laboratory exercise." The concern isn't just theoretical - today's most visible AI-driven threat is already social engineering, with phishing and impersonation schemes far more polished and convincing than anything seen before.
The Canadian Anti-Fraud Centre reported that Canadians lost over $638 million to fraud and cybercrime in 2024 alone, with identity fraud topping the list. AI has made those schemes faster, cheaper and harder to spot. BOXX Insurance's cyber risk director Neal Jardine put it plainly: "Attackers are using AI to map real-world relationships and craft messages that feel authentic."
Coverage is also under pressure. Paige Cheasley, national technology practice leader at Gallagher Canada, told Insurance Business this week that when AI gets it wrong, the company carries the liability - regardless of whether the failure was human or algorithmic. One in five insurance professionals already report a client has experienced a loss linked to AI risk. Exclusionary language is coming, but carriers are hesitant to move first.
Casper Rogers, Senior Broker at Assured, warns insurers may revisit language akin to Chubb's previous Widespread Vulnerability Exclusion to limit aggregated exposure from mass incidents. Tim Johnson, Partner and Head of Insurance at law firm Browne Jacobson, adds a subtler concern: many cyber policies define a hacker as a person, meaning some wordings may simply not pick up an AI attacker, with unintended consequences either way.
Jeffrey Gonlin, chief underwriter at Emergence Insurance, captured why that hesitation may not last. AI-driven cyber criminality, he argued, is not a new threat category so much as an accelerant applied to existing ones: "It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything." Until wordings catch up, Ed Ventham of Assured has a practical steer: "We would encourage businesses to be asking for AI to be affirmatively covered within their policy to avoid any potential knee-jerk changes from a potential upcoming and heightened risk landscape."
Johnson also points to a broader problem AI attacks will amplify: clients assuming that having a cyber policy means having cyber cover. "Cyber cover is shorthand for a whole load of different cyber-based coverages," he said. With more attacks and more victims, that gap will become harder to ignore, and harder to defend.
Brokers should be stress-testing the Five Eyes' five steps with clients at every renewal: reduce attack surfaces, patch faster, deal with legacy systems, lock down access controls, plan for incidents. Cyber insurance works best as a resilience tool. Those conversations can't wait for the losses to come first.
