Cyber is consistently named a top business risk, yet most Canadian companies still don’t buy standalone cyber insurance. For Lindsey Maher (pictured), head of global cyber development at CFC, that disconnect has less to do with denial – and more to do with an insurance market that still isn’t built for small and mid‑sized businesses.
Maher estimates that only 10–15% of Canadian companies buy standalone cyber cover, compared with 30–40% in the US. That’s despite the fact that most business leaders now put cyber in their top three concerns, if not number one.
“The disconnect isn’t because Canadian businesses don’t believe in the risk,” she said. “It’s because many still see cyber as something they can control through people and processes, so they invest in prevention rather than risk transfer. At the same time, many brokers don’t feel confident enough to lead the conversation, and when cyber isn’t explained well, clients default to inaction.”
That gap is now starting to narrow. CFC has seen Canadian new‑business cyber submissions grow almost 50% in the past 12 months, which Maher links to brokers changing their behaviour and markets rediscovering the SME segment.
“Cyber is at an inflection point in Canada,” she said. “We’re seeing brokers proactively leading renewal discussions with cyber, and there’s a renewed focus by the market on the SME segment.”
Maher pushes back on the idea that smaller firms don’t understand cyber risk or are complacent.
“SMEs aren’t falling short because they don’t understand cyber risk, they’re falling short because the industry hasn’t built products or processes designed for them,” she said. “Most SMEs absolutely grasp the threat and routinely put cyber risk in their top three, if not number one business risk – but they’re handed policies built for large enterprises, underwriting that feels like a technical exam, and long questionnaires that price them out before they even start.”
At CFC, she said, the company has taken almost the opposite route for smaller risks.
“For the SME segment, our underwriting requirements are often limited to simply the insured’s website address,” she said. “That removes the accessibility barrier to accessing a vital product and has worked effectively without compromising profitability for the last six years because of the investments we’ve made in our Proactive division.”
That Proactive division, which combines scanning, monitoring and intervention, has changed the profile of the portfolio.
“We are now at the stage in the market where we’re notifying clients of their threats and vulnerabilities at double the rate the clients are notifying us of a suspected or actual incident,” Maher said. “Once they become a policyholder and have access to enterprise‑grade security teams that come with many cyber insurers, the business becomes an infinitely better risk.”
One of Maher’s main criticisms is that insurers too often treat SMEs as just scaled‑down corporates.
“Insurers have a tendency of treating SMEs as ‘smaller big businesses,’ stripping coverage for simplicity instead of redesigning it for reality,” she said. “What needs to change is the mindset: SME cyber should be treated as a risk‑improvement lifecycle, not a pass‑fail test.”
The controls expected of larger organisations – dedicated CISOs, 24/7 SOCs, fully segmented networks – are not realistic for a ten‑person manufacturer or a local professional firm, she noted. Trying to underwrite those businesses against large‑corporate checklists simply drives them away.
“If we want penetration to grow in Canada, we have to make cyber easier to buy, easier to understand, and easier to improve over time,” Maher said.
Brokers, she argued, are critical to closing the gap, but many are still too tentative.
“Too often cyber is discussed as a tick‑box discussion rather than advised,” she said. “The services wrapped around the wording – such as Proactive and incident response – are under‑sold, and client misperceptions go unchallenged.”
That is beginning to change as the broader commercial market softens.
“In the last six to eight months, brokers are capitalising on the fact that rates are softening on other product lines,” Maher said. “That ultimately means clients have more budget to allocate to a new product line while brokers seek to build on their own organic growth.”
For Maher, the formula to grow Canadian cyber penetration is straightforward, even if execution is not.
“Cyber insurance uptake fails when no one explains why transferring that risk actually matters,” she said. “When insurers remove the unnecessary friction and brokers clearly articulate the value beyond just limits and price, SMEs are more than willing to engage – because they already believe cyber is a top risk. They’re just waiting for a product and a process that feels like it was built for them.”
