Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
News

Feds eyeing potential ‘safe-harbour’ disclosure rules for ransomware victims, documents show

The federal government is mulling “safe-harbour” disclosure rules for companies that fall victim to cyber attacks, according to documents obtained by The Logic, amid concerns that it lacks insight into the cyber-insurance industry at a time when ransomware attacks have proliferated. 

Safe-harbour rules are legal provisions that typically allow companies to sidestep some liabilities or penalties, provided that certain conditions are met. Such a move could come alongside stricter reporting requirements for the private sector, placing fresh obligations on companies as regulators seek to restrain ransomware attackers.

News

Feds eyeing potential ‘safe-harbour’ disclosure rules for ransomware victims, documents show

By Jesse Snyder
Dec 9, 2021
A A
A Small A Medium A Large
Share

Gift

Share

The federal government is mulling “safe-harbour” disclosure rules for companies that fall victim to cyber attacks, according to documents obtained by The Logic, amid concerns that it lacks insight into the cyber-insurance industry at a time when ransomware attacks have proliferated. 

Safe-harbour rules are legal provisions that typically allow companies to sidestep some liabilities or penalties, provided that certain conditions are met. Such a move could come alongside stricter reporting requirements for the private sector, placing fresh obligations on companies as regulators seek to restrain ransomware attackers.

In an internal report by Public Safety Canada, obtained by access-to-information request, government officials warned that they had only “limited” insight into the cyber-insurance industry, in large part because many security breaches go unreported by companies. The existence of non-disclosure agreements in some insurance policies has further added to that lack of reporting, the document says, which “impacts the ability of law enforcement to initiate or advance an investigation.”

Talking Point

The introduction of safe-harbour provisions could involve new obligations for companies who suffer ransomware or other cyber attacks. Potential changes, floated in a Public Safety Canada report obtained by The Logic, come as the government seeks more insight into the country’s relatively young cyber-insurance industry.

Public Safety Canada did not provide The Logic with further details on the safe-harbour rules. Safe-harbour proposals from the April 2021 report have not yet been brought before the minister, the department said. 

The department’s concerns come as the cyber-insurance industry reels from a sharp increase in ransomware and other attacks in recent years, intensified by a global pandemic that forced many companies to accelerate the digitization of their operations. The number of ransomware attacks in North America leapt 151 per cent year over year in the first half of 2021 alone, according to a study by SonicWall, a cybersecurity provider. That has tested the financial limits of insurance companies, which have dramatically hiked premiums in recent years to cover higher rates of payouts. 

To better track cybercrime in Canada, Public Safety officials have in turn floated recommendations to step up companies’ disclosure when breaches occur, which “could include the development of safe-harbour disclosure rules,” the report says.

The shift would follow a similar proposal brought forward in the U.S. in October by Sen. Elizabeth Warren and Rep. Deborah Ross, whose Ransom Disclosure Act would force companies to disclose security breaches. The bill would also force companies to disclose the type of cryptocurrency they may have used to pay ransoms.

Currently, Canadian companies are required to report security breaches to the federal privacy commissioner, but only if the company deems there to be a “real risk of significant harm” to itself or to third parties, according to the government’s website. Disclosure rules can fluctuate based on the province where the company is based; Alberta, British Columbia and Quebec all have their own privacy laws. 

Other regulators have already begun tightening their reporting requirements. In an updated advisory this summer, the Office of the Superintendent of Financial Institutions (OSFI) removed a threshold that said only security breaches of “high or critical severity” would need to be reported to the agency. Federal institutions must now report any cybersecurity incident, the update said. It also trimmed down its allowable reporting period from 72 hours after an attack to within 24 hours. 

The cyber-insurance industry has been under financial pressure as cyber attacks became more frequent during the pandemic, exposing a relatively young industry compared to legacy areas like auto or life insurance. Many Canadian firms remain uninsured. Only 15 per cent of the 300 business owners surveyed in a recent Leger poll had standalone cyber-insurance policies. 

“The danger for the insurance companies is they don’t have decades of actuarial data to tell them how likely it is they’re going to have to payout,” said Brent Arnold, partner at law firm Gowling. 

Cyber insurers, increasingly leary of mounting payouts, have hiked premiums as a result. Direct-loss ratios, which measure an insurance company’s total paid claims versus its total premiums, spiked to nearly 499 per cent in the second quarter of 2020, up from 154 per cent the year before, according to the Public Safety report, citing OSFI data. 

The jump was widely attributed to a spike in remote work during the pandemic, which limited the ability of companies to secure internal data. 

The Public Safety report obtained by The Logic was part of a briefing note provided to Natural Resources Canada deputy minister Jean-François Tremblay. 

Hackers target Canadian energy and utilities at nearly double the rate of all other industries combined, according to a document previously obtained by The Logic, creating “significant consequences for national security, public safety and the economy.” 

The Northwest Territories Power Corporation suffered a ransomware attack in 2020 that led to a six-week shutdown of the public utility’s IT systems. Georgia-based Colonial Pipeline was forced to shut down its oil-pipeline network in May following a ransomware attack, suspected to have been carried out by Eastern European hacking group DarkSide. The company reportedly paid a ransom of roughly US$4.4 million. 

Meanwhile, Public Safety’s report also raised concerns about insurance policies that cover ransom payments, known as extortion coverage, saying they could heighten a company’s risk. Hackers will sometimes determine that payments will be more forthcoming from companies with extortion coverage, and select their targets accordingly. 

“While obtaining cyber-liability insurance may make an organization feel safer, anecdotal examples suggest that it may increase their vulnerability,” the report says. 

That has led some governments to propose an outright ban on ransom payments in an effort to snuff out criminal activity. Authorities in New York have proposed legislation to ban companies from paying ransoms, while Pennsylvania, North Carolina and Texas are floating policies to ban public institutions from paying cyber criminals.

Some experts are sympathetic to those concerns. 

“It basically feeds the beast,” said Gowling’s Arnold. “The theory has always been that anything that sees criminals rewarded for this behaviour perpetuates the cycle of cybercrime,” he said.

Arnold has years of experience working with companies who have been the target of cyber crime, coordinating emergency response plans and sometimes hiring ransomware negotiators. 

He cannot identify his clients for privacy reasons, but says recently they have included organizations from a small contractor in the construction industry to a large Canadian public institution. Companies often choose to pay ransoms, he said, particularly in cases where data is sensitive, or if the release of data could trigger legal challenges from third parties.

Gift the full article

Imran Ahmad, head of technology at Norton Rose Fulbright Canada, argued that it could be oversimplifying to assume that extortion coverage can heighten a company’s risk, saying that insurance policies are often deeply complicated and come with a long list of conditions that could be indecipherable to outsiders.

“Just because a company has million-dollar extortion coverage doesn’t mean that there’s a million dollars sitting right there, or that the insurance company would pay it,” he said.

#cyber security

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

Most Popular This Week

A person in glasses and a blue top is sitting and typing on a laptop in an office. A desktop screen next to the laptop displays some blurred-out coding work.
News

A niche white-collar role is becoming the AI industry’s hot new job

By Anita Balakrishnan
A logo that reads AI in blue lettering against a light yellow background.
News

What happened when a VC firm let AI do almost everything

By Catherine McIntyre
News

Canada joins the movement to make AI more open source

By Murad Hemmadi
A close-up of a made-in-Canada stamp on the end of a cylindrical piece of raw aluminum.
Analysis

It turns out Trump does need something from Canada—aluminum

By Joanna Smith

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

Workers position pipe during construction of the Trans Mountain pipeline expansion in Abbotsford, B.C., in May 2023.
News

Carney’s new deal for B.C. paves way for West Coast pipeline

By David Reevely and Meghan Potkins

Briefing

A $4.6B power project tied to a Meta-linked Alberta data centre gets the green light

By Meghan Potkins   |   Jul 2, 2026 | 4:17 PM ET

Quebec launches $1B water infrastructure housing program

By Martin Patriquin   |   Jul 2, 2026 | 4:11 PM ET

Radical Ventures backs TwelveLabs in US$100M Series B for video AI tools

By Murad Hemmadi   |   Jul 2, 2026 | 3:14 PM ET

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

Analysis

It turns out Trump does need something from Canada—aluminum

By Joanna Smith   |   Jun 25, 2026
A close-up of a made-in-Canada stamp on the end of a cylindrical piece of raw aluminum.
News

What happened when a VC firm let AI do almost everything

By Catherine McIntyre   |   Jun 29, 2026
A logo that reads AI in blue lettering against a light yellow background.
News

Alberta to free up a huge amount of power to attract Big Tech and its data centres

By Meghan Potkins   |   Jun 24, 2026
A wide landscape shot of high-tension power lines over green and golden fields in rolling countryside.
Exclusive

Ssense has laid off photo and make-up teams and says AI will do much of their work

By Catherine McIntyre   |   Jun 22, 2026
News

A niche white-collar role is becoming the AI industry’s hot new job

By Anita Balakrishnan   |   Jun 30, 2026
A person in glasses and a blue top is sitting and typing on a laptop in an office. A desktop screen next to the laptop displays some blurred-out coding work.
News

Canada joins the movement to make AI more open source

By Murad Hemmadi   |   Jun 26, 2026

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account