Cybersecurity, business continuity: Five insights for Canadian companies
Wednesday, July 15, 2020 @ 12:52 PM | By Catherine Beagan Flood, Sunny Handa and Imran Ahmad
|Catherine Beagan Flood|
The potential effects to businesses resulting from a major cybersecurity incident can include financial loss, operational disruption and reputational harm, not to mention lengthy regulatory investigations and litigation.
Surprisingly, however, few companies have in place the internal cybersecurity policies and plans to help them combat this rampant threat.
A key factor in being prepared for a cybersecurity incident is to familiarize oneself with the types of cyber threats that organizations face. Unfortunately, there is a shortage of current and reliable Canada-specific data when it comes to the types of cyber threats, their frequency, impact and other indicators that assist organizations in preparing for a potential cybersecurity incident.
To gain a clearer understanding of the cybersecurity risks, the Cybersecurity team at Blake, Cassels & Graydon LLP recently launched an inaugural Canadian Cybersecurity Trends Study on the latest trends and issues related to cyber incidents. The study covers cybersecurity incidents, privacy breaches and cybersecurity-related disclosures by public companies and is based on a survey of cybersecurity forensic firms that responded to more than 250 cybersecurity incidents across Canada, a review of publicly released data by the federal, Alberta and British Columbia privacy commissioners’ offices, and a review of various public-disclosure documents (e.g., annual report, annual information form, management discussion and analysis, management information circular and final long-form prospectus) of the 790 corporate issuers listed on the Toronto Stock Exchange for cybersecurity-related disclosure statements.
Here are the five key findings from the study:
1. Although anyone can be a target, cyber criminals appear to be focusing on organizations that store sensitive data, such as financial, health and professional services firms. These industries are highly regulated, and a major cybersecurity incident can trigger significant reporting obligations to affected individuals and regulatory bodies, not to mention class action proceedings. Critical infrastructure is also at higher risk since an attack of this nature could lead to a widespread shutdown of vital operations.
2. Ransomware (35 per cent) and compromised business e-mail (24 per cent) continue to be the biggest risk to organizations. Cyber criminals often threaten to publish the victim’s data unless a ransom is paid, and more than 53 per cent of targeted organizations are opting to pay the ransom. Of those that opted to pay a ransom, approximately 70 per cent of ransoms paid were less than $100,000. These payments are often made via bitcoin payment, a digital cryptocurrency that allows the hackers to remain anonymous. It is noteworthy that in many instances, following “negotiations” with the hacker, the ransom amount paid is often lower than what the hackers had initially demanded. However, the quantum of the ransom amounts being demanded and paid is rising.
3. Organizations that suffered a cybersecurity incident reported that the primary impact on their business was: operational disruption (33 per cent), financial loss (25 per cent) and impact on relationships with customers and business partners (21 per cent). Despite this, statistics show that only 41 per cent of publicly listed companies have a policy addressing cybersecurity, and even fewer (10 per cent) have specific cyber insurance.
4. The ongoing challenge with cyber incidents is that the technology and techniques employed by cyber criminals continue to evolve. Regardless of ongoing efforts to be proactive and prevent or minimize cyber incidents, the stark reality is that cyber criminals continue to innovate.
5. Though slow moving, cyber-related litigation is ramping up. Since 2012, there have been several privacy class actions certified in Canada, particularly in Ontario, British Columbia, Alberta and Quebec. It’s expected that claims against both organizations and their representatives, potentially including directors and officers, will continue to increase.
Catherine Beagan Flood is an experienced litigator at Blakes and acts as defence counsel and breach coach for clients experiencing a data breach or cybersecurity incident. Sunny Handa leads the technology and communications law groups at Blakes. He advises on a range of issues including privacy issues, data retention and data handling. Imran Ahmad is a partner at Blakes, whose business law practice specializes in technology, cybersecurity and privacy law.
Photo credit / Andreus ISTOCKPHOTO.COM
Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Peter Carter at firstname.lastname@example.org or call 647-776-6740.