Canadian Cybersecurity & Compliance Statistics 2026

The bottom line for 2026: Canadian data breach costs rose 10.4% to CA$6.98 million even as the global average fell. Canada is the outlier, and the rest of this page is the evidence, with every figure cited to its primary source.

Last updated: June 2026. Refreshed annually on this URL.

Most cybersecurity statistics circulating online are global, American, or vendor-sourced, which makes them the wrong number to quote when the question is about Canadian risk, Canadian breach economics, or Canadian privacy law. This page collects the figures that are Canadian, and cites each one to its primary source: Statistics Canada, the Canadian Internet Registration Authority (CIRA), the Canadian Centre for Cyber Security (CCCS), IBM, and the relevant legislation. If you use a figure, cite the primary source, and a link back here is appreciated.

1. The Canadian threat landscape

The headline trend surprises people: at the population level, the share of Canadian businesses reporting a cybersecurity incident has been declining, not rising. In 2023, 16% of Canadian businesses were impacted by a cybersecurity incident, down from 18% in 2021 and 21% in 2019 (Statistics Canada, Impact of cybercrime on Canadian businesses, 2023).

The decline reflects a shift in distribution, not an easing of risk. Large businesses remained the most likely to be impacted, at 30% in 2023, and the nature of incidents moved toward higher-consequence categories: identity theft hit 31% of impacted businesses, an 11-percentage-point jump from 2021 (Statistics Canada). Scams and fraud remained the most common method.

Meanwhile, organizations that run active security programs report a very different exposure rate. In CIRA's survey of Canadian cybersecurity decision-makers, 43% of organizations said they were targeted by a cyberattack in the past 12 months, and 42% experienced a breach of customer or employee data, up sharply from 29% in 2022 (CIRA, 2025 Cybersecurity Survey).

The national-security view from the federal cyber agency is blunter: the CCCS names ransomware as the top cybercrime threat to Canada's critical infrastructure, and reports that ransomware incidents have grown an average of 26% year-over-year since 2021 (CCCS, National Cyber Threat Assessment 2025-2026).

2. Ransomware in Canada

Ransomware is where Canadian and global pictures diverge most usefully.

Among Canadian businesses, ransomware remains comparatively rare but is rising: 13% of impacted businesses reported a ransomware attack in 2023, up from 11% in 2021 (Statistics Canada). And the Canadian instinct is to refuse: 88% of ransomware victims did not make a payment (Statistics Canada). Of the roughly 12% who did pay, Statistics Canada reports that 84% paid less than CA$10,000 and 4% paid more than CA$500,000 (shares of payers, not of all victims).

Among organizations with mature security programs, the numbers run hotter. In CIRA's 2025 survey, 24% of organizations said they were a ransomware victim in the past 12 months, and of those victims, 74% paid a ransom and 74% had data exfiltrated (CIRA, 2025 Cybersecurity Survey). When they paid, the most common band was meaningful: 28% of paying victims paid between CA$25,000 and CA$50,000, and 15% paid CA$100,000 or more.

The gap between the StatCan did-not-pay rate (88%) and the CIRA paid rate (74%) is not a contradiction. It reflects two different populations (all businesses with 10+ employees versus organizations that already run cybersecurity programs) and two different survey years. Quote the one that matches your audience.

3. The cost of a breach in Canada

This is the figure most worth knowing, because it moves in the opposite direction from the global trend.

The average Canadian data breach cost CA$6.98 million in 2025, a 10.4% increase from CA$6.32 million in 2024, even as the global average fell about 9% to US$4.44 million (IBM, Cost of a Data Breach Report 2025; IBM Canada newsroom). Canada got more expensive while the world got cheaper.

By sector, financial services led Canadian breach costs at CA$9.97 million in 2025, roughly a 43% premium over the national average (IBM Canada).

Where does the cost come from? IBM's global breakdown of the four cost categories, for four years running, puts detection and escalation first (about 33%), lost business second (about 31%), post-breach response third (about 27%), and notification last (about 9%) (IBM, Cost of a Data Breach Report 2025). The implication for budgeting is consistent: the largest controllable line item is detecting and scoping the breach. That is an argument for investing in detection and validated controls before an incident, not for buying notification insurance after one.

4. What Canada spends on cyber

Spending is rising even as the incident rate falls, a sign that Canadian organizations are treating security as an operating cost, not an incident response.

• Recovery spending doubled, from approximately CA$600 million in 2021 to CA$1.2 billion in 2023 (Statistics Canada).
• Prevention and detection spending rose from CA$9.7 billion in 2021 to CA$11.0 billion in 2023 (Statistics Canada).

The ratio matters more than either number: Canadian businesses spend roughly nine dollars preventing incidents for every dollar spent recovering from them. That is the economically correct direction, because recovery is the most expensive way to buy security.

5. AI and phishing: where Canadian leaders are looking next

Concern has shifted toward AI-enabled attacks. In CIRA's 2025 survey, 70% of Canadian organizations said they were worried about AI-powered cyberattacks, privacy breaches, and data poisoning, and 61% were concerned about more convincing phishing emails and texts (CIRA, 2025 Cybersecurity Survey). The CCCS assessment aligns: it warns that cybercriminals are increasingly using artificial intelligence to enhance their capabilities (CCCS, NCTA 2025-2026).

6. The compliance and privacy-penalty landscape

For Canadian companies, the regulatory exposure is uneven across the country, and one province is far ahead of the federal regime.

Federal: PIPEDA. Mandatory breach reporting under PIPEDA has been in force since November 1, 2018 (Order Fixing November 1, 2018, SI/2018-32, Canada Gazette Part II). Critically, the Office of the Privacy Commissioner has no direct fining authority under PIPEDA: it investigates and issues findings, and enforcement runs through the Federal Court (OPC guidance). The Act does carry fixed offence fines of up to CA$100,000 for specific failures such as not reporting a breach, but these are prosecuted through the courts, not levied by the regulator.

The reform that didn't happen: Bill C-27. Bill C-27, which would have introduced administrative monetary penalties of up to the higher of CA$10M and 3% of global revenue (and penal fines up to the higher of CA$25M and 5%), died on the Order Paper when Parliament was prorogued in January 2025 (LEGISinfo, Parliament of Canada). As of mid-2026, no successor bill has been enacted under a confirmed number; Canada continues to operate under PIPEDA. Treat any claim that C-27 will fine you as out of date.

Quebec: Law 25. Quebec's Law 25 phased in over three years: privacy-officer and breach-reporting obligations on September 22, 2022; PIAs, consent, and the right to erasure on September 22, 2023; and data portability on September 22, 2024 (Osler analysis). Its penalties are the most severe in Canada: administrative monetary penalties up to the greater of CA$10 million or 2% of worldwide turnover, and penal fines up to the greater of CA$25 million or 4% of worldwide turnover (with a CA$15,000 minimum for corporations and doubling on repeat offences), under the Act respecting the protection of personal information in the private sector (CQLR c. P-39.1, ss. 90.12 and 91).

For comparison: GDPR. The EU benchmark Canadian exporters are measured against: up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83(5), Regulation (EU) 2016/679).

The practical takeaway for a Canadian company selling across provinces and borders: your binding penalty exposure is set by the strictest regime you touch, most often Quebec's Law 25 or the GDPR, not by the comparatively toothless federal PIPEDA.

Primary sources

• Statistics Canada, Impact of cybercrime on Canadian businesses, 2023, The Daily, October 21, 2024.
• Statistics Canada, Businesses impacted by cyber security incidents, Canada, 2019 to 2023.
• CIRA, 2025 Cybersecurity Survey.
• Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026.
• IBM, Cost of a Data Breach Report 2025.
• IBM Canada Newsroom, Canadians' Data Security Under Increased Threat, While Breach Costs Surge, July 30, 2025.
• Order Fixing November 1, 2018 (PIPEDA breach reporting), SI/2018-32, Canada Gazette Part II.
• Office of the Privacy Commissioner of Canada, breach guidance.
• Quebec, Act respecting the protection of personal information in the private sector (CQLR c. P-39.1), via Osler analysis.
• Parliament of Canada, LEGISinfo, Bill C-27 (historical).
• Regulation (EU) 2016/679 (GDPR), Article 83(5).

Frequently Asked Questions

What is the average cost of a data breach in Canada in 2025?

The average Canadian data breach cost CA$6.98 million in 2025, a 10.4% increase from CA$6.32 million in 2024, even as the global average fell about 9% to US$4.44 million. Canadian financial-services breaches were the most expensive, averaging CA$9.97 million. Source: IBM, Cost of a Data Breach Report 2025.

Do Canadian companies pay ransomware demands?

Most do not. According to Statistics Canada, 88% of Canadian businesses hit by ransomware in 2023 did not pay. Of the roughly 12% who did, 84% paid less than CA$10,000. Among organizations with mature security programs surveyed by CIRA in 2025, the paid rate was higher, reflecting a different and smaller survey population.

What are the penalties under Quebec's Law 25?

Quebec's Law 25 is the strictest privacy-penalty regime in Canada. It allows administrative monetary penalties up to the greater of CA$10 million or 2% of worldwide turnover, and penal fines up to the greater of CA$25 million or 4% of worldwide turnover, with a CA$15,000 minimum for corporations and doubling on repeat offences.

Does PIPEDA impose fines for data breaches?

Not in the way most people assume. The federal Privacy Commissioner has no direct fining authority under PIPEDA. The Act does carry fixed offence fines of up to CA$100,000 for specific failures, such as knowingly failing to report a breach or obstructing the Commissioner, but these are prosecuted through the courts rather than levied by the regulator, and they are not based on a percentage of revenue.

Is Bill C-27 the law in Canada?

No. Bill C-27, which would have introduced revenue-based privacy fines, died on the Order Paper when Parliament was prorogued in January 2025. As of mid-2026, no successor bill has been enacted, and Canada continues to operate under PIPEDA. Any guidance claiming C-27 penalties apply is out of date.

How many Canadian businesses experience cybersecurity incidents?

In 2023, 16% of Canadian businesses were impacted by a cybersecurity incident, down from 18% in 2021 and 21% in 2019. Large businesses remained the most exposed at 30%. The decline reflects a shift toward higher-consequence incidents rather than an easing of overall risk. Source: Statistics Canada.