Banking institutions are the top targets of cybercrime, according to a report published Monday by Statistics Canada.

The Canadian Survey of Cyber Security and Cybercrime was conducted for the first time to measure the impact of cybercrime on Canadian businesses.

Canadian businesses reported spending $14 billion to prevent, detect and recover from cybersecurity incidents in 2017, which represented less than 1% of their total revenues,

The report found that 21% of firms suffered an incident that impacted their operations last year. Large firms were more than twice as likely as small firms to face attacks (41% of large companies compared with 19% of small firms).

The banking sector was the top target, with almost half (47%) of banking institutions reporting that they faced cyberattacks, followed closely by universities and the pipeline transportation sector.

Of those businesses impacted by a cybersecurity incident, 38% identified the motive as an attempt to steal money or demand ransom, 26% of businesses experienced incidents where hackers tried to access unauthorized areas, and 23% faced an incident where there was an attempt  to steal personal or financial information.

Canadian companies reported that they spent $14 billion in 2017 to prevent, detect and recover from cybersecurity incidents, according to the survey. More than half of this (approximately $8 billion) was spent on salaries for employees, consultants and contractors. Companies spent $4 billion on cybersecurity software and related hardware, with another $2 billion spent on other prevention and recovery measures.

Additionally, the report found that 24% of large businesses have liability insurance to protect against cyber security risks and threats. Most of these policies (82%) cover direct losses from an attack or intrusion, 72% cover business interruption and 66% provide coverage for third-party liability and financial losses.

Only about 10% of businesses that were impacted by a cybersecurity incident reported it to police in 2017, according to the report. Indeed, StatsCan says its data may involve some level of underreporting, because businesses are not always aware of cybersecurity incidents, or are unwilling to report them.

Data for the survey was collected from January to April from businesses with Canadian operations that have at least 10 employees, across all sectors. The sample included 12,597 businesses, and the response rate was 86%, the report says.