First, the bad news: family offices have become common targets for cyberattacks. According to a 2024 global survey by Deloitte, 43 per cent of family offices were victims of cyberattacks over the previous one to two years, and a quarter had experienced three or more attacks. Of those targets, a third suffered some form of loss as a result, with about 20 per cent experiencing a financial loss.
Now, the good news: cyber insurance can help mitigate the losses that can arise from cyberattacks. According to the TELUS Canadian Cyber Insurance Study published in February, 64 per cent of Canadian organizations currently have cyber insurance, and about one-third of those organizations report submitting a claim within the past 12 months.
Research suggests that family offices have been rather slow to adopt insurance as a way to manage digital risk. A recent study by Ernst & Young and the Wharton Global Family Alliance found that fewer than half of family offices had cyber insurance. But there’s a good case to be made that FOs that aren’t covered should do so now.
One big reason: cyber insurance is getting cheaper. The 2025 Global Insurance Market Index, by insurance broking and risk management firm Marsh, reports that Canadian premiums declined by three per cent in the second quarter as coverage broadens and more providers enter the arena.
Yet, as with so many things insurance-related, the devil is in the details when it comes to cyber coverage. Insured parties should understand what is and isn’t covered and what they need to do to meet their responsibilities to deter cybercrime.
A buyer’s market in cyber insurance
Cyber insurance is becoming more affordable than during its pre-COVID peaks in part because more people are buying it and more companies are offering coverage. A spike in cyber claims during the pandemic resulted in insurance companies imposing stricter underwriting standards and requiring organizations to demonstrate an acceptable level of industry-standard security controls. That’s also helped to control costs.
“They’re making sure everybody imposes multi-factor authentication and requiring them to create immutable backups of their systems, as well as developing an incident response plan,” says Eric Charleston, partner and national co-leader for cybersecurity with law firm Borden Ladner Gervais.
Cyber insurance can be offered as a rider to property insurance or as a standalone policy. “Almost every business getting cyber insurance now is getting standalone cyber,” says Charleston. “Coverage is not nearly as standardized as auto or homeowners’ insurance, but generally speaking the coverages offered under cyber policies are quite similar now.”
Jake Moore, a UK-based global cybersecurity advisor with cybersecurity company ESET, says he agrees. “I would heavily advise companies to go for bespoke, specific cyber insurance and get a level of coverage specifically designed for the company and its assets,” he explains.
How cyber insurance works
Cyber insurance typically covers first-party and third-party costs. First-party costs are those paid to determine what happened and to recover from an incident. These can include the costs of a breach coach (a role Charleston often assumes); a digital forensics investigator who secures the system; business interruption coverage; data recovery and implementation of back-up systems; a negotiator and any extortion payments made to ransomware attackers; and notifications to clients, vendors and regulators about the breach.
“You want to make sure you have robust business interruption coverage under the policy,” Charleston says. “If a cyberattack knocks out your systems, you may not be able to use your computer for two or three weeks. If you’re not as profitable or not bringing in as much work as possible, a cyber policy can cover this for a limited indemnity period after the incident.”
Third-party costs involve the amount spent to defend the policyholder against claims from other people and companies resulting from the incident. That may include legal action from clients claiming that a multi-family office, for example, was negligent in its cybersecurity practices by exposing their private information to the public.
“Sadly, some companies mistakenly view an insurance policy as paying for a get-out-of-jail-free card, and this can backfire if an incident occurs and their controls are found lacking,” Moore says.
Cyber insurance may not cover everything
The TELUS study supports the need for robust cybersecurity measures even with insurance. According to the report, of organizations submitting a claim within the past 12 months, 78 per cent received an insurance payout. On average, those payouts covered only 60 per cent of incident costs—a level of compensation that met the insured party’s expectations in only 29 per cent of cases.
“Insurers still pay covered losses, but they will scrutinize claims more than they did in the late 2010s,” Moore says. “Today, you see rejections or limitations, usually when the insured failed to maintain required controls, such as offline backups. This means that if businesses were to have had the proper backups in place, they wouldn’t require the insurance at the same level, as the data would be easily restored.”
Charleston also throws cold water on the notion that organizations will receive a blank cheque to upgrade their systems to the latest standards.
“From the insurer’s perspective, coverage is meant to return an organization to its original state, not pay to upgrade your systems to meet industry security standards,” he says. “This type of claim is often denied and, in our experience, the ensuing dispute often goes to mediation.”
On top of that, while cyber insurance may cover the salaries and wages of new staff and consultants, or overtime incurred by existing staff to restore the company’s systems, it won’t cover regular salaries of employees who have been reassigned to recovery efforts.
Even ransom demands may fall out of the scope of cyber insurance coverage. These types of payments typically fall into two categories: the cost of decrypting locked files or of deleting copies of the files instead of publishing them.
“Nearly all insurance companies will conduct a cost-benefit analysis for the payment,” Charleston says. “They’re going to want to see an effort to negotiate that number down and an effort to justify the number. Insurers are grappling with how to impose reasonableness on these negotiations. Often, our clients just accept that the data is going to be published rather than paying for deletion.”
Some insurers may also compare the cost of rebuilding systems from backups, in addition to the cost of projected business interruption and recovery expenses, against the amount of the ransom demand. If the cyberattacker’s price is too high, the insurer may decide to cut them out of the equation.
After the first call …
What happens following a cyberattack and the first phone call to the insurance carrier?
“It’s essentially an ‘in case of emergency break glass’ situation,” Charleston says. “Then somebody like me shows up with a whole playbook from A to Z, no matter what kind of business you operate—an external resource to come in and manage this crisis for you immediately, and to make it stop.”
As a breach coach, Charleston can, at a minimum, advise clients on their investigative and reporting obligations and help them apply legal privilege to the investigation so they can conduct it thoroughly and transparently.
“The best breach coaches can hand-hold through the entire incident, look around corners and offer a bit of a crystal ball on how these situations might break bad,” he says. “We translate the technical jargon of the forensic findings as they come in and explain how the findings influence their obligations under the law. More than that, we help our clients understand the objections they may get from potential claimants or anticipate potential negative press.”
Some organizations may also be legally required to make a public statement about the breach or deliver reports to a banking regulator and privacy regulator.
“We help them to understand their reporting requirements and co-ordinate that communication, so that the stories are all correct, honest and compliant,” Charleston says.
Prevention still rules
Protecting against cyberattacks and breaches continues to be a better bet for any organization than relying on cyber insurance to fix what’s broke.
“You need to be doing proactive work preparing for this type of stuff, and that includes network security auditing, conducting preparedness exercises and working on incident response planning and strategy,” Charleston says.
Moore agrees. “Cyber insurance should be your airbag,” he says. “It won’t stop you crashing, but it’ll soften the blow.”
Peter Kenter is a Toronto-based writer with a deep and abiding interest in how everything in the world works and how it got that way. He’s written about the economy, investing, financial services, cryptocurrency, pharmaceuticals, mining, energy, cannabis, agriculture, consumer electronics, education, sponsorship marketing, and entertainment. He’s the author of TV North: Everything You Wanted to Know About Canadian Television. He loves English bull terriers.
Please visit here to see information about our standards of journalistic excellence.