Canada Against the Tide: Breaches Are Getting More Expensive
While the global average cost of a data breach saw its first decline in five years (down 9% in USD), Canada is moving in the opposite direction. According to the IBM Cost of a Data Breach Report 2025, Canadian organizations now pay an average of CA$6.98 million per breach — a 10.4% increase from CA$6.32M in 2024.
For cyber claims experts and insurers operating in Canada, this figure isn't just a statistic: it's the basis for your reserves, premiums, and underwriting strategies. At ITCS Group, we work with insurers and breach coaches facing these realities every day. Here is our analysis of the key findings and their practical implications.
Key Findings from the IBM Report for Canada
Average Cost per Breach: CA$6.98M (+10.4%)
This increase is significant. While the rest of the world benefits from declining costs — driven by AI and automation adoption — Canada faces mounting pressure. Contributing factors include growing regulatory complexity (Law 25, PIPEDA), increased targeting by ransomware groups, and a particularly vulnerable SMB ecosystem.
Shadow AI: A New CA$308,000 Cost Factor
The IBM report spotlights an emerging phenomenon: Shadow AI. This refers to unauthorized use of AI systems by employees — ChatGPT, Copilot, content generation tools — without oversight or governance. In Canada, one in three businesses report having no access controls on AI systems.
The impact is quantified: breaches involving Shadow AI cost an additional CA$308,000 above average. These tools create vulnerabilities by exposing sensitive data to third-party platforms, circumventing security policies, and creating blind spots for security teams.
Phishing: CA$7.91M per Breach (+24%)
Phishing remains the most common initial attack vector in Canada. The average cost of a phishing-initiated breach reached CA$7.91M in 2025, a 24% increase from CA$6.38M in 2024. This rise reflects the growing sophistication of phishing campaigns, now powered by generative AI to produce hyper-personalized emails in both French and English.
Most Impacted Sectors
Financial services: CA$9.97M per breach (+7.4% vs 2024), the costliest sector in Canada due to the sensitivity and value of financial data
Industrial sector: CA$8.39M per breach — these organizations have low downtime tolerance, making them easy targets for attackers
Pharmaceutical: CA$7.99M per breach, with risks of intellectual property exposure and supply chain disruption
Defensive AI: The CA$3.34M Gap
The most striking finding concerns the gap between organizations using AI and security automation versus those that don't:
With AI and automation: CA$5.19M per breach
Without AI or automation: CA$8.53M per breach
Gap: CA$3.34M — a 39% reduction
Beyond costs, AI dramatically accelerates detection. Organizations using these technologies reduce their Mean Time to Identify (MTTI) to 118 days, compared to 162 days for others — a 59-day improvement. In a ransomware context, 59 days of faster detection can mean the difference between a contained breach and a catastrophe.
What This Means for Cyber Insurers in Canada
1. Pricing Model Revision
With a 10.4% increase in average costs, cyber insurance premiums in Canada must reflect this reality. Insurers who don't adjust their models face unfavorable loss ratios. The report provides granular sector-level data enabling more precise pricing.
2. Integrating Shadow AI Risk into Underwriting
Shadow AI is a new risk that traditional underwriting questionnaires don't yet capture. We recommend adding specific AI governance questions to the underwriting process: does the organization have an AI usage policy? Are access controls in place? Does an inventory of AI tools in use exist?
3. Rewarding Defensive AI Maturity
The CA$3.34M gap between organizations using defensive AI and others justifies premium reductions for insureds demonstrating security AI maturity. This is a powerful lever to encourage cybersecurity investment.
4. Prevention as a Profitability Lever
Every dollar an insured invests in prevention reduces the potential claims cost. Insurers offering prevention services — risk assessments, penetration testing, training — reduce their exposure while retaining clients.
What This Means for Canadian Businesses
The IBM report issues clear recommendations that we fully endorse at ITCS Group:
Govern and secure AI systems: develop clear policies to manage AI usage, prevent Shadow AI, and ensure Law 25 compliance
Invest in security automation: defensive AI tools are no longer a luxury — they're an investment that pays back millions in the event of an incident
Strengthen employee training: phishing remains the number one vector — regular simulations and a reporting culture are essential
Test your response plan: an untested plan is a plan that doesn't work — semiannual Table Top exercises recommended
ITCS Group Support
At ITCS Group, we live these numbers every day. Our unique positioning at the intersection of cybersecurity, AI, and cyber insurance enables us to offer insurers and Canadian businesses concrete support: pre-underwriting risk assessments, defensive AI solution deployment, penetration testing, 24/7 incident response, and post-breach support. Every breach we manage strengthens our understanding of real costs and the best ways to reduce them. Contact us for an analysis of your exposure.
Sources
IBM Cost of a Data Breach Report 2025 — IBM Security, July 2025
HSB Canada (Munich Re) — What is driving the cost of cyber claims in Canada?
NetDiligence Cyber Claims Study 2024