2025 Canadian Survey of Cyber Security and Cybercrime

Purpose
The purpose of the 2025 Canadian Survey of Cyber Security and Cybercrime is to measure the impact of cybercrime on Canadian businesses and organizations.

The survey gathers information about

• The measures businesses and organizations have implemented for cyber security, including employee training;
• The types of cyber security incidents that impact businesses and organizations; and
• The costs associated with preventing and recovering from cyber security incidents.

Additional information

Your information may also be used by Statistics Canada for other statistical and research purposes.

Your participation in this survey is required under the authority of the Statistics Act.

Authority

Data are collected under the authority of the Statistics Act, Revised Statutes of Canada, 1985, Chapter S-19.

Confidentiality

By law, Statistics Canada is prohibited from releasing any information it collects that could identify any person, business, or organization, unless consent has been given by the respondent, or as permitted by the Statistics Act. Statistics Canada will use the information from this survey for statistical purposes only.

Data-sharing agreements

To reduce respondent burden, Statistics Canada has entered into data-sharing agreements with provincial and territorial statistical agencies and other government organizations, which have agreed to keep the data confidential and use them only for statistical purposes. Statistics Canada will only share data from this survey with those organizations that have demonstrated a requirement to use the data.

Section 11 of the Statistics Act provides for the sharing of information with provincial and territorial statistical agencies that meet certain conditions. These agencies must have the legislative authority to collect the same information, on a mandatory basis, and the legislation must provide substantially the same provisions for confidentiality and penalties for disclosure of confidential information as the Statistics Act. Because these agencies have the legal authority to compel businesses to provide the same information, consent is not requested and businesses may not object to the sharing of the data.

For this survey, there are Section 11 agreements with the provincial and territorial statistical agencies of Newfoundland and Labrador, Nova Scotia, New Brunswick, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia and the Yukon.

The shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Section 12 of the Statistics Act provides for the sharing of information with federal, provincial or territorial government organizations. Under Section 12, you may refuse to share your information with any of these organizations by writing a letter of objection to the Chief Statistician, specifying the organizations with which you do not want Statistics Canada to share your data and mailing it to the following address

Chief Statistician of Canada
Statistics Canada
Attention of Director, Centre for Innovation, Technology and Enterprise Statistics
150 Tunney's Pasture Driveway
Ottawa, ON
K1A 0T6

You may also contact us by email at statcan.digitaleconomysociety-economiesocietenumerique.statcan@statcan.gc.ca.

For this survey, there are Section 12 agreements with the statistical agencies of Prince Edward Island, Northwest Territories and Nunavut, as well as with Public Safety Canada; Royal Canadian Mounted Police; Natural Resources Canada; Communications Security Establishment; Innovation, Science and Economic Development Canada; and Public Services and Procurement Canada.

For agreements with provincial and territorial government organizations, the shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Record linkage

To enhance the data from this survey and to reduce respondent burden, Statistics Canada may combine it with information from other surveys or from administrative sources.

Reporting instructions

For this questionnaire

Please complete this questionnaire for Canadian operations of this business or organization.

Reporting instructions

• Report dollar amounts in Canadian dollars.
• Report dollar amounts rounded to the nearest dollar.
• If precise figures are not available, provide your best estimate.
• Enter "0" if there is no value to report.

Business or organization characteristics

Business or organization characteristics - Question identifier1

Which of the following does your business or organization currently use? Select all that apply.

• Website for your business or organization
• Social media accounts for your business or organization
• E-commerce platforms and solutions
• Web-based applications
• Open source software
• Cloud computing or storage
• Internet-connected smart devices or Internet of Things (IoT)
• Intranet
• Blockchain technologies
• Voice Over Internet Protocol (VoIP) services
• Remote Access Technology
• Software or hardware using artificial intelligence (AI)
• OR
• Business or organization does not use any of the above

Business or organization characteristics - Question identifier2

What type of data does your business or organization store on servers which are connected to the Internet.

Include

• data stored on cloud computing or storage services
• data stored on servers that can be accessed remotely (e.g., through virtual desktop connections)
• data that are backed-up.
• cloud-based artificial intelligence (AI) systems trained on data the business or organization holds

Select all that apply.

• Personal employee information
• Personal information about customers, suppliers, or partners
• Confidential business or organization information
• Commercially sensitive information
• Non-sensitive or public information
• OR
• Business or organization does not store data on servers which are connected to the Internet

Business or organization characteristics - Question identifier3

Does anyone in your business or organization use personally-owned devices such as smartphones, tablets, laptops, or desktop computers to carry out regular business-related activities?

Include personally-owned devices with enterprise software installed, and devices that are subsidized by the business or organization.

• Yes
• No
• Do not know

Cyber security environment

Cyber security environment - Question identifier4

Which cyber security measures does your business or organization currently have in place?

Include on-site and external security measures, including those provided by an external party. Select all that apply.

• Mobile security
  Does your business or organization allow access to any of the following applications when mobile security is disabled?
  Include applications on all devices with mobile security installed by your business or organization.
  Select all that apply.
  • Enterprise applications
  • Other online applications
  • Other offline applications
  • OR
  • All applications require mobile security to be enabled
• Anti-malware software to protect against viruses, spyware, ransomware, etc.
• Web security
• Email security
• Network security
• Data protection and control
• Point-Of-Sale (POS) security
• Software and application security
• Hardware and asset management
• Identity and access management
• Physical access controls
• Multi-Factor Authentication
• AI-based cyber security tools
• OR
• Business or organization does not have any cyber security measures in place
• OR
• Do not know

Cyber security environment - Question identifier5

Did any of the following external parties or cyber security standards or cyber security certification programs require your business or organization to implement certain cyber security measures?

Select all that apply.

• Supplier of physical goods
• Supplier of digitally delivered goods or services
• Supplier of other services that are not digitally delivered
• Customer
• Partner
• Canadian departments, agencies, centres or regulators
  Which Canadian departments, agencies, centres or regulators required your business or organization to implement certain cyber security measures?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canada Revenue Agency (CRA)
  • Other
• Foreign departments, agencies, centres or regulators
• Cyber security standard or cyber security certification program
• Cyber risk insurance provider
• OR
• None of the above

Cyber security environment - Question identifier6

How many employees does your business or organization have that complete tasks related to cyber security as part of their primary responsibilities?

Include part-time and full-time employees. Examples of tasks these employees may complete include

• managing, evaluating or improving the security of business networks, web presence, email systems or devices;
• patching or updating the software or operating systems used for security reasons;
• completing tasks related to recovery from previous cyber security incidents.

Exclude

• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• External IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

• One employee
• Two to five employees
• 6 to 15 employees
• Over 15 employees
• None
• Do not know

Cyber security environment - Question identifier7

What are the main reasons your business or organization does not have any employees that complete tasks related to cyber security as part of their regular responsibilities? Select all that apply.

• Business or organization uses private sector consultants or contractors to monitor cyber security
• Business or organization uses public sector consultants or contractors to monitor cyber security
• Business or organization has cyber risk insurance
• Business or organization is in the process of recruiting a cyber security employee
• Business or organization is unable to find an adequate cyber security employee
• Business or organization lacks the money or resources to employ a cyber security employee
• Cyber security is not a high enough risk to the business or organization
• Business or organization's parent organization manages cyber security

Cyber security environment - Question identifier8

What percentage of the employees that complete tasks related to the cyber security of your business or organization as part of their primary responsibilities identify as the following genders?

Gender refers to current gender, which may be different from sex assigned at birth and may be different from what is indicated on legal documents.

Exclude individuals employed by external IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

• Female
• Male
• Another gender

Cyber security environment - Question identifier9

Which of the following population groups do your business or organization's cyber security employees belong to?

Select all that apply.

• White
• Indigenous
• Visible minority
• OR
• Do not know

Cyber security environment - Question identifier10

Which qualifications would your business or organization consider essential when hiring new cyber security employees?

Select all that apply.

• Academic certificates, diplomas or degrees
  What is the highest academic certificate, diploma or degree that would be considered essential?
  • High school diploma or a high school equivalency certificate
  • Trades certificate or diploma
  • College, CEGEP or other non-university certificate or diploma (other than trades certificates or diplomas)
  • University certificate or diploma below the bachelor's level
  • Bachelor's degree
  • University certificate, diploma or degree above the bachelor's level
• Other cyber security certifications
  Which cyber security certifications are considered essential?
  • Certified Ethical Hacker
  • Certified Information Security Manager
  • Certified Information Systems Professional
  • GIAC Security Expert
  • Security+
  • Other certifications
• Experience working in cyber security
• Other cyber security training
• Other qualifications
  • Specify other qualifications
• OR
• Business or organization has never attempted to hire a cyber security employee
• OR
• Do not know

Cyber security environment - Question identifier11

What are the top 3 technical cyber skills you are looking for in potential new cyber security employees?

Select up to three.

• Script writing
• Software development, deployment or debugging
• IT system development, implementation or maintenance
• Data management or analysis
• Knowledge of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
• Experience with IT or network security
• Experience with application security
• Experience with cyber security incident response
• Experience with ethical hacking
• Experience with AI systems
• Other - Specify other technical skills

Cyber security environment - Question identifier12

In 2025, did your business or organization encounter any challenges finding qualified cyber security employees or retaining existing cyber security employees?

Select all that apply.

• Challenges finding qualified cyber security employees
• Challenges retaining cyber security employees
• OR
• This business or organization did not encounter any challenges finding or retaining qualified cyber security employees in 2025
• OR
• Do not know

Cyber security environment - Question identifier13

What challenges did your business or organization encounter when hiring cyber security employees in 2025?

Select all that apply.

• Applicants lacking skills
• Applicants lacking experience
• Salary requests too high
• Not enough time or resources for effective recruitment
• Lack of candidate interest in the position
• Other challenges
  • Specify other challenges
• OR
• Do not know

Cyber security environment - Question identifier14

For which reasons did cyber security employees leave your business or organization in 2025?

Select all that apply.

• Recruited by other business or organization operating in Canada
• Recruited by other business or organization operating outside of Canada
• Limited internal promotion or development opportunities
• High stress levels at work
• Lack of flexibility (work-life balance)
• Visa or work permit issues
• Layoffs or dismissals
• Retirement
• Family commitments
• Other reasons - Specify other reasons
• OR
• No cyber security employees left the business or organization in 2025
• OR
• Do not know

Cyber security environment - Question identifier15

Did your business or organization share best practices or general information on cyber security risks with your employees in 2025?

Include the sharing of information through email, bulletin boards, general information sessions on subjects related to

• recognizing and avoiding email scams
• importance of password complexity and basic security techniques
• securing your web browser and safe web browsing practices
• avoiding phishing attacks
• recognizing and avoiding spyware.
  • a. Information shared with internal cyber security employees
  • b. Information shared with other employees
    • Yes
    • No
    • Not applicable
    • Do not know

Cyber security environment - Question identifier16

Did your business or organization provide formal training to develop or upgrade cyber security related skills of your employees or stakeholders in 2025?

Include training provided by external sources.

Exclude ad hoc information sharing between employees.

1. Provided training to internal cyber security employees
2. Provided training to other employees
3. Provided training to stakeholders such as suppliers, customers or partners
   • Yes
   • No
   • Not applicable
   • Do not know

Cyber security environment - Question identifier17

Why did your business or organization not provide formal training to develop or upgrade the cyber security related skills of some or all of its employees?

• Unable to find appropriate training
• Cost of training
• Not enough time or resources to send employees on training
• Lack of interest from employees
• Employees did not require formal training
• Other

Cyber security environment - Question identifier18

What are the three main reasons your business or organization spends time on or allocates budget to cyber security measures or related skills training?

Select up to three.

• Allow employees to work remotely securely
• Protect the reputation of the business or organization
• Protect personal information of employees, suppliers, customers or partners
• Protect trade secrets and intellectual property
• Compliance with Canadian laws and regulations
• Compliance with foreign laws and regulations
• Compliance with contracts
• Business or organization has suffered a cyber security incident previously
• Prevent downtime and outages
• Prevent fraud and theft
• Secure continuity of business or organization operations
• Required by cyber risk insurance provider
• OR
• Business or organization does not spend time or money on cyber security measures or related skills training

Cyber security readiness

Cyber security readiness - Question identifier19

Which risk management arrangements does your business or organization currently have in place?

Select all that apply.

• Cyber risk insurance
  What type of cyber risk insurance does your business or organization have?
  • Indirect coverage through an existing insurance policy
  • A cyber-specific add-on to an existing insurance policy
    What type of cyber-specific add-on does your business or organization have?
    • A cyber-specific add-on to an existing insurance policy with under 100k in coverage
    • A cyber-specific add-on to an existing insurance policy with over 100k in coverage
    • Do not know
  • Standalone cyber risk insurance
  • Other
• A procedure for notifying employees of cyber security incidents or threats
• A Business Continuity Plan (BCP) with processes to manage cyber security threats, vulnerabilities, and risks
• Employees with responsibility for overseeing cyber security risks and threats
• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• A consultant or contractor to manage cyber security risks and threats
• Monthly or more frequent patching or updating of operating systems for security reasons
• Monthly or more frequent patching or updating of software for security reasons
• Recurring mandatory cyber security training for employees
• Backups of digital information
  Where are these backups stored?
  • In the same location as the main storage
  • At a different business or organization location from the main storage
  • At a third-party location
• Investment in threat intelligence
• Participation in a cyber security information sharing community
• OR
• Business or organization does not have any risk management arrangements for cyber security

Cyber security readiness - Question identifier20

What types of written policies related to cyber security does your business or organization currently have in place?

Select all that apply.

• A written policy in place to manage internal cyber security risks
• A written policy in place to manage cyber security risks associated with supply chain partners
  Does your business or organization's written policy associated with supply chain partners cover any of the following?
  • Cyber security risks related to immediate suppliers or partners
  • Cyber security risks related to your business or organization's wider supply chain
• A written policy in place to report cyber security incidents
• A written policy in place to report a cyber security vulnerability
• Other type of written policy related to cyber security
• OR
• The business or organization does not have any written policies related to cyber security

Cyber security readiness - Question identifier21

Why does your business or organization not have a written policy in place to manage cyber security risks associated with supply chain partners?

Select all that apply.

• Lack of time or money to invest in developing or upholding a policy
• Lack of knowledge for how to develop a policy
• Lack of available information regarding supply chain partners
• Creating such a policy is not a priority
• Such a policy is not applicable to this business or organization
• Business or organization has not considered establishing a policy
• Such a policy is not mandated by the Government of Canada
• Other

Cyber security readiness - Question identifier22

Have any of your written cyber security policies been reviewed by third parties, such as cyber security consultants, or external auditors, within the past 2 years?

• Yes
• No
• Do not know

Cyber security readiness - Question identifier23

How would you describe the level of preparedness of your business or organization to defend itself against cyber threats?

• Extremely prepared
• Very prepared
• Somewhat prepared
• Unprepared
• Very unprepared

Cyber security readiness - Question identifier24

Which of the following are covered under your cyber risk insurance policy? Select all that apply.

• Direct losses from an attack or intrusion
• Incident response
• Restoration expenses for software, hardware, and electronic data
• Interruptions (loss of productive time)
• Reputation losses
• Third-party liability
• Cyber extortion or ransom payments
• Financial losses
• Security breach remediation and notification expenses
• Credit monitoring expenses
• Claims made by employees
• Other - Please specify
• OR
• Do not know

Cyber security readiness - Question identifier25

When your business or organization's cyber risk insurance was last up for renewal, did your provider change any of the following?

Select all that apply.

• Higher premiums
• Higher deductibles
• Lower coverage limits
• Additional exclusions
• Co-insurance
• Sub-limits
• Baseline cyber security threshold or cyber security standards checklist required to obtain coverage increased
• Reduced ransomware coverage
• More detailed submissions, including but not limited to, supplemental ransomware questionnaires
• Providing pre-breach services
• Enlisting third-party cyber security firm to conduct additional assessments
• Carrying out external scans of web-facing assets
• Other
  • Please specify
• OR
• No changes were made to the business or organization's cyber risk insurance
• OR
• Do not know

Cyber security readiness - Question identifier26

Why does your business or organization not have cyber risk insurance?

Select all that apply.

• The business or organization's existing insurance policies cover cyber security risks
• The cost of cyber risk insurance is too high
• The business or organization's existing cyber security measures provide enough protection that cyber risk insurance is unnecessary
• The business or organization had no cyber security risks
• The business or organization has not considered obtaining cyber risk insurance
• Not applicable to this business or organization
• Other reasons for not having cyber risk insurance
• OR
• Do not know

Cyber security readiness - Question identifier27

Prior to responding to this survey, were you aware of any cyber security standards or cyber security certification programs that businesses and organizations can apply for?

Include

• Canadian, foreign and international standards and programs;
• standards and programs that you were aware of but your business or organization was not eligible for or did not apply for.

Select all that apply.

• Cyber security standards
  Does your business or organization follow any cyber security standards?
  • Yes
  • No
  • Do not know
• Cyber security certification programs
  Does your business or organization hold any cyber security certifications?
  • Yes
  • No
  • Do not know
• OR
• Not aware of any cyber security standards or certification programs

Cyber security readiness - Question identifier28

Which activities does your business or organization undertake to identify cyber security risks?

Select all that apply.

• Monitoring insider threat risk behaviours
• Monitoring other employee behaviour
• Monitoring network and business or organization systems
• A formal risk assessment of cyber security practices, undertaken by an employee
• A formal risk assessment of cyber security practices, undertaken by an external party
• Penetration testing, undertaken by an employee
• Penetration testing, undertaken by an external party
• Assessment of the security of Internet-connected smart devices or Internet of Things (IoT) devices
• Complete audit of IT systems, undertaken by an external party
• Business or organization conducts other activities to identify cyber security risks
• OR
• Business or organization does not conduct any activity to identify cyber security risks

Cyber security readiness - Question identifier29

How often does your business or organization conduct activities to identify cyber security risks? Select all that apply.

• On a scheduled basis
  On what schedule does your business or organization conduct activities to identify cyber security risks?
  • Daily
  • Weekly
  • Monthly
  • Quarterly
  • Annually
  • Other
• After a cyber security incident occurs
• When a potential vulnerability is discovered
• When a new IT initiative or project is launched
• On an irregular basis

Cyber security readiness - Question identifier30

How often is senior management in your business or organization given an update on actions taken regarding cyber security? Select all that apply.

• On a scheduled basis
  On what schedule does senior management get updates on actions taken regarding cyber security?
  • Daily
  • Weekly
  • Monthly
  • Quarterly
  • Annually
  • Other
• After a cyber security incident occurs
• When a potential vulnerability is discovered
• When a new IT initiative or project is launched
• Senior management have tools to track cyber security issues
• Senior management is given an update on an irregular basis
• OR
• Senior management is not updated on cyber security issues

Cyber security readiness - Question identifier31

Which of the following cyber security resources provided by the federal government has your business or organization used?

Select all that apply.

• Get Cyber Safe campaign
• CyberSecure Canada certification program
• Baseline Cyber Security Controls for Small and Medium Businesses
• Canadian Cyber Security Tool (CCST)
• Ransomware Playbook
• Developing an Operational Technology and Information Technology Incident Response Plan
• Canadian Centre for Cyber Security Top 10 IT Security Actions
• Sector specific guidance or tools
• Other reports, advice or guidance
• OR
• The business or organization has not used any cyber security resources provided by the federal government
• OR
• Do not know

Cyber security incidents

Cyber security incidents - Question identifier32

To the best of your knowledge, which cyber security incidents impacted your business or organization in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
• OR
• Business or organization was not impacted by any cyber security incidents in 2025

Cyber security incidents - Question identifier33

In 2025, was your business or organization contacted by any of the following external parties regarding their cyber security incidents because they may have involved your business or organization?

Select all that apply.

• Suppliers, customers or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators contacted your business or organization?
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canada Revenue Agency (CRA)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Other parties not mentioned above
• OR
• External parties did not report their cyber security incidents to the business or organization in 2025

Cyber security incidents - Question identifier34

You previously indicated that external parties contacted your business or organization about their cyber security incidents because they may have involved your business or organization in 2025. How did your business or organization react to those cyber security incidents?

Select all that apply.

• Incidents were resolved internally
• Incidents were resolved with the external party
• Incidents were resolved through cyber risk insurance
• Incidents were resolved through an IT consultant or contractor
• Incidents were reported to a police service
• Incidents were reported to other external parties
• Business or organization is currently working with the external party to resolve the incidents
• OR
• No action was necessary or not action was taken by the business or organization

Cyber security incidents - Question identifier: 35

In a previous question, you were asked about cyber security incidents that impacted your business or organization. Thinking now about all attempted cyber security attacks or intrusions, regardless of their impact, which of the following did your business experience in 2025?

Select all that apply.

• Attempts to disrupt or deface the business or organization or web presence
• Attempts to steal personal or financial information
• Attempts to steal money or demand ransom payment
• Attempts to steal or manipulate intellectual property or business or organization data
• Attempts to access unauthorised or privileged areas
• Attempts to monitor and track business or organization activity
• Attempted cyber security attacks or intrusions with an unknown motive
• OR
• Business or organization did not experience any attempted cyber security attacks or intrusions in 2025

Cost of cyber security incidents

Cost of cyber security incidents - Question identifier36

In 2025, what was the total amount your business or organization spent to prevent or detect cyber security incidents?

Exclude costs that were incurred specifically due to previous cyber security incidents (e.g., recovery costs from previous cyber security incidents).

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

1. Employee salary related to prevention or detection
2. Cost of training employees, suppliers, customers, or partners
3. Cost of hiring IT consultants or contractors
4. Cost of legal services or public relations (PR) services
5. Cost of cyber security software
6. Cost of hardware related to cyber security
7. Annual cost of cyber risk insurance or equivalent
8. Cost of bug bounty programs and compensation to vulnerability researchers
9. Other related costs

Cost of cyber security incidents - Question identifier37

In 2025, what was the total cost to your business or organization to recover from the cyber security incidents?

Exclude costs related to prevention and detection of cyber security incidents as these were asked in the previous question.

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

1. Employee salary related to recovery
2. Cost of training employees, suppliers, customers, or partners
3. Cost of hiring IT consultants or contractors
4. Cost of legal services or public relations (PR) services
5. Cost of hiring other external parties
6. Cost of new or upgraded cyber security software
7. Cost of new or upgraded hardware related to cyber security
8. Increased cost of cyber risk insurance or equivalent
9. Reimbursing suppliers, customers, or partners
10. Financial penalties from Canadian regulators or authorities
11. Financial penalties from foreign regulators or authorities
12. Ransom payments
13. Additional credit monitoring fees
14. Costs related to notification of a breach
15. Other related costs

Impact of cyber security incidents

Impact of cyber security incidents - Question identifier38

To the best of your knowledge, who perpetrated the cyber security incidents in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
  • An external party
  • An internal employee
  • Supplier, customer or partner
  • OR
  • Do not know

Impact of cyber security incidents - Question identifier39

What were the methods used by the perpetrator for the cyber security incidents?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
  • Exploiting software, hardware, or network vulnerabilities
  • Password cracking
  • Identity theft
  • Scams and fraud
  • Ransomware
  • Other malicious software
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS)
  • Disruption or defacing of web presence
  • Abuse of access privileges by a current or former internal party
  • Other
  • OR
  • Do not know

Impact of cyber security incidents - Question identifier40

You previously indicated that your business or organization has cyber risk insurance. Did your business or organization attempt to make a claim on that policy after the cyber security incidents in 2025?

Select all that apply.

• Yes, we successfully made a claim against the business or organization's cyber risk insurance
• Yes, we attempted to make a claim against the business or organization's cyber risk insurance but were unsuccessful
• Yes, we attempted to make a claim against the business or organization's cyber risk insurance and it is still in progress
• OR
• No, we have not attempted to make a claim for any of the cyber security incidents

Impact of cyber security incidents - Question identifier41

How was your business or organization impacted by the cyber security incidents in 2025?

Select all that apply.

• Loss of revenue
• Loss of suppliers, customers, or partners
• Additional repair or recovery costs
• Prevented the use of resources or services
• Prevented employees from carrying out their day-to-day work
  What percentage of employees were prevented from carrying out their day-to-day work at some point in 2025?
  • Percentage
• Additional time required by employees to complete their day-to-day work
• Damage to the reputation of the business or organization or erosion of public trust
• Financial penalties or fines from Canadian regulators or authorities
• Financial penalties or fines from foreign regulators or authorities
• Discouraged business or organization from carrying out a future activity that was planned
• Minor incidents, impact was minimal to the business or organization
• Manipulation or theft of data or intellectual property
• Compromise of software or hardware
• Required to notify external parties of a breach
• Other
• OR
• Do not know

Impact of cyber security incidents - Question identifier42

As a result of cyber security incidents, approximately how many hours of downtime did your business or organization experience in 2025?

Include

• total downtime for mobile devices, desktops, and network;
• time periods during which there was either reduced activity or inactivity of employees or the business.

If precise figures are not available, provide your best estimate, rounded to the nearest hour.

• Hours
• OR
• Business or organization did not experience any downtime in 2025
• OR
• Do not know

Cyber security incidents reporting

Cyber security incidents reporting - Question identifier43

Did your business or organization report any cyber security incidents to a police service in 2025?

Include all levels of police service including federal(i.e.,Royal Canadian Mounted Police (RCMP)), provincial, territorial, municipal and Indigenous.

• Yes
  Which level of police service did your business or organization report to?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• No
• Do not know

Cyber security incidents reporting - Question identifier44

Which cyber security incidents did your business or organization report to a police service in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive

Cyber security incidents reporting - Question identifier45

What were the reasons for reporting incidents to a police service in 2025?

Select all that apply.

• To reduce the damage caused by the incidents
• To lower the probability of other businesses or organizations being impacted by the same incidents
• To help catch the perpetrators
• To fulfill the requirements of customers, suppliers, partners, regulators, cyber security standards or cyber certification programs
• Other
  • Specify other reasons

Cyber security incidents reporting - Question identifier46

What were the reasons for not reporting some or all of the cyber security incidents to a police service in 2025?

Select all that apply.

• Incidents were resolved internally
• Incidents were resolved through an IT consultant or contractor
• To keep knowledge of the incidents internal
• To protect the reputation of the business or organization or stakeholders
• Did not want to spend more time or money on the issue
• Police service would not consider incidents important enough
• Police service was unsatisfactory in the past
• Unsure of where or how to report
• Reporting process is too complicated or unclear
• Did not think the perpetrator would be convicted or adequately punished
• Minor incidents, no value in reporting
• Lack of evidence
• Did not think of contacting a police service
• Incidents were reported to another government department, agency, centre, or regulator
• No requirement to report
• OR
• Business or organization reported all cyber security incidents to a police service in 2025

Cyber security incidents reporting - Question identifier47

Excluding police services, which other external party did your business or organization report the cyber security incidents to in 2025?

Select all that apply.

• Suppliers, customers, or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators did you report to?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Cyber security employees at other businesses or organizations
• OR
• Business or organization did not report any cyber security incidents to external parties in 2025

Cyber security incidents reporting - Question identifier48

What were the reasons for not reporting some or all the of the cyber security incidents to an external party in 2025?

Select all that apply.

• Incidents were reported to a police service only
• Incidents were resolved internally
• To keep knowledge of the incidents internal
• To protect the reputation of the business or organization or stakeholders
• Lack of evidence
• No obligation or benefit to reporting
• Minor incidents, no value in reporting
• Did not think of reporting the incidents to an external party
• Did not know where to report cyber security incidents
• OR
• Business or organization reported all cyber security incidents to external parties in 2025

Cyber security incidents reporting - Question identifier49

In responding to the cyber security incidents in 2025, which external parties did your business or organization contact for information or advice?

Select all that apply.

• Suppliers, customers, or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Legal services
• Police services
  Which level of police service did your business or organization contact?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators did you contact?
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• A cyber security information sharing community
• Other Internet community
• Friends, family, or acquaintances
• Computer repair shop
• Cyber security employees at other businesses or organizations
• OR
• Business or organization did not contact any external parties in 2025

Cyber security incidents reporting - Question identifier50
Did your business or organization report any attempted but unsuccessful cyber security attacks or intrusions to police services or other external parties in 2025?

Include all levels of police service including federal, provincial, territorial, municipal and Indigenous.

• Yes
  Which external parties did your business or organization report the attempted cyber security attacks or intrusions to?
  Select all that apply.
  • Police services
    Which level of police service did your business or organization report to?
    Select all that apply.
    • Federal
    • Provincial
    • Territorial
    • Municipal
    • Indigenous
  • Suppliers, customer or partners
  • IT consultant or contractor
  • Cyber risk insurance provider
  • Canadian department, agency, centre or regulator
    Which Canadian departments, agencies, centres or regulators did you report to?
    Select all that apply.
    • Office of the Privacy Commissioner
    • Canadian Radio-television and Telecommunications Commission
    • Competition Bureau
    • Innovation, Science and Economic Development Canada
    • Canadian Centre for Cyber Security (Cyber Centre)
    • Canadian Spam Reporting Centre
    • Canadian Anti-Fraud Centre (CAFC)
    • Canada Revenue Agency (CRA)
    • Canadian Security Intelligence Service (CSIS)
    • Other
  • Foreign department, agency, centre or regulator
  • Industry association
  • Banks or other financial institution
  • Software or service vendor
  • Cyber security employees at other businesses or organizations
  • Other
• No
• Do not know

Current cyber security trends

Current cyber security trends - Question identifier51

In 2025, what was the total value of ransom payments made by your business or organization?

• More than $0, but less than or equal to $10,000
• More than $10,000, but less than or equal to $50,000
• More than $50,000, but less than or equal to $100,000
• More than $100,000, but less than or equal to $250,000
• More than $250,000, but less than or equal to $500,000
• More than $500,000
• The business or organization did not make ransom payments in 2025
• Do not know

Current cyber security trends - Question identifier52

In 2025, what form of transaction did your business or organization use to make ransom payments?

Select all that apply.

• Cryptocurrency
• Gift card
• E-transfer
• Via a third party
• Cheque
• Credit or debit card
• Other
  • Please specify

Current cyber security trends - Question identifier53

In 2025, which external parties did your business or organization work with to address ransomware incidents?

Include all external parties your business or organization reported the ransomware incidents to.

Select all that apply.

• IT consultant or contractor
• Cyber risk insurance provider
• Police services
  Which level of police service did your business or organization work with?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• Canadian department, agency, centre or regulator
  Which Canadian department, agencies, centres or regulators did you work with?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reproting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Other external parties
• OR
• The business or organization did not work with external parties to resolve ransomware incidents in 2025
• OR
• Do not know

Current cyber security trends - Question identifier54

In the case of ransomware attacks, does your business or organization have a rule or policy to not pay the ransom?

• The business or organization has a rule or policy to not pay the ransom
• The business or organization does not have a rule or policy to not pay the ransom
• Do not know

Notification of intent to extract web data

Notification of intent to extract web data - Question identifier55

What is this business or organization's website address?

We may also visit this business or organization's website to search for additional publicly available information using automated methods, being careful not to impede the functionality of the website.

• Website address