Employee AI use leads to surge in Canadian cyber breach costs 

Canadian businesses are losing $6.98 million on average to data breaches, according to IBM’s latest Cost of a Data Breach Report. That’s a 10.4% increase, or roughly $308,000 from the previous year. 

Employees’ use of shadow AI — i.e. unsanctioned artificial intelligence — was found to be a top breach cost driver for Canadian businesses, says IBM. These ungoverned AI systems are more likely to be breached and “more costly when they are.” 

Although Canadian breach costs increased, the global average fell to US$4.44 million — the first drop in five years — due to faster breach identification and containment, driven by AI-powered defenses.  

Canadian industries in which cyberattacks most affect consumers are seeing the largest costs associated with a breach.  

Specifically, Canada’s financial sector leads breach costs at an average of $9.97 million per breach in 2025. That’s a 7.4%-increase from $9.28 million in 2024, reflecting the high sensitivity and value of financial data for cybercriminals, IBM says.  

Breaches in Canada’s industrial sectors cost an average of $8.39 million. Since these organizations have a low tolerance for downtime, that makes them easy targets for attackers, the firm says. (The figures in IBM’s report are in U.S. dollars, but the consulting firm also included a rough conversion to Canadian currency.) 

Pharmaceutical breaches cost an average of $7.99 million. Incidents across this sector have the potential to expose intellectual property and delay treatments by impacting supply, says IBM. 

Fighting fire with fire  

The rise of unsanctioned artificial intelligence known as ‘shadow AI’ is a prime culprit in creating vulnerabilities and compliance issues for businesses, the report states.

“While the overall number of organizations experiencing an AI-related breach is a small representation of the researched population, this is the first time security, governance and access controls for AI have been studied in this report, which suggests AI is already an easy, high-value target,” the report said. 

Breach severity can be controlled, paradoxically, if companies fight fire with fire. For example, companies adopting additional AI security or automation measures lowered breach costs down to $5.19 million. In contrast, organizations not using AI technologies to prevent breaches reported costs closer to $8.53 million. 

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

One-third of Canadian businesses reported not having access controls on AI systems. 

Thirteen percent of organizations reported breaches of AI models or applications, while 8% of organizations reported not knowing if they had been compromised in this way. Of those compromised, 97% report not having AI access controls in place. 

As a result, 60% of the AI-related security incidents led to compromised data and 31% led to operational disruption. 

“This report shows that organizations using AI and automation are saving millions and detecting breaches much faster, but gaps in AI security and governance, like the use of shadow AI, are leaving businesses exposed to unnecessary risks,” said Daina Proctor, IBM Canada’s security delivery leader. “By investing in AI tools and building clear AI policies, companies can take control of their security and stay ahead of emerging threats.” 

AI can improve cybersecurity 

Organizations adopting AI and automation across their security operations centres are seeing significant financial benefits, IBM says.  

AI tools can automate manual cybersecurity tasks, including across threat detection and response. This allows security teams to focus on higher-priority initiatives. 

Security automation can also accelerate response times and reduce the impact of breaches.  

Organizations using these tools extensively reported faster breach identification. Their mean time to identify a breach was 118 days, compared to 162 days for organizations not using these technologies. 

For Canadian businesses looking to reduce the impact of costly data breaches, IBM makes a series of recommendations: 

• Govern and secure AI systems: Develop policies to manage the use of AI, prevent shadow AI, and ensure compliance with privacy laws. 

• Invest in security automation: Use AI tools to detect and contain breaches faster. 

• Connect security of AI and governance for AI. Investing in integrated security and governance software can help organizations automatically discover and prevent the use of shadow AI. 

Expand employee training. Given the most common initial attack vector is phishing scams (which cost roughly $7.91 million per breach, a 24% increase from 2024), companies should strengthen security awareness programs to minimize human error. 

Alyssa DiSabatino

Alyssa Di Sabatino has been a reporter for Canadian Underwriter since 2021, covering industry trends, market developments, and emerging risks.