On April 27th, Foglers held a seminar entitled ‘Improving Your Organization’s Cyber Resilience’ with external guests Patrick Bourk, a veteran insurance coverage lawyer and specialty insurance broker, and Jason Kotler, the President of CYPFER, a full-service cyber security, ransomware and digital forensics company. This bulletin provides a summary of the key topics discussed during the event. A copy of the presentation is available for viewing here.
The Rise of Cyber Incidents
Cyber incidents affecting Canadian businesses are growing at an alarming rate, with increased sophistication, as more and more work and business transactions are conducted virtually.
A few high-profile cyber breaches capture media headlines, but the problem is pervasive. Almost one-fifth (18%) of Canadian businesses suffered cyber security incidents in 2021, according to StatsCan, mostly ransomware, business email compromise and malware attacks.
The Cyber Resilience Toolkit
In today’s cyber climate, an organizational cyber resilience toolkit is not a luxury. It is a necessity. Creating one requires a multi-faceted approach.
There are two main cyber resilience toolkit components that every business should consider developing and maintaining:
- an Incident Response Plan (IRP) – an organizational document outlining procedures, steps, and responsibilities, including notification requirements, when a cyber incident occurs; and
- a Written Information Security Program (WISP) – an organizational document highlighting the administrative, technical, and physical safeguards used to protect the security of an organization’s systems and information generally, including safeguarding the personal information under its control. WISPs are mandatory for public companies, and companies in some sectors, e.g., financial services, health care and telecommunications.
Another essential for businesses is cyber insurance.
Cyber Insurance
In 2020, insurers regulated by the Office of the Superintendent of Financial Information (OSFI) suffered a 400% increase in loss ratio from the increased prevalence of cyber incidents. As a result, the Canadian cyber insurance market has hardened. Policy coverage requirements and exclusions are being reviewed with enhanced scrutiny.
Traditional property/casual insurance policies – e.g., general liability, business interruption, fidelity and directors’ and officers’ liability insurance – are unlikely to meet organizations’ cyber incident needs. In the current insurance market, these policies will typically exclude cyber-related losses entirely. If not excluded, then cyber-related losses are often significantly restricted to minimal third-party loss coverage and with no first-party loss coverage.
Cyber insurance, i.e., network security and privacy liability policies, offer organizations increased protection for first party expenses, including:
- data breach expenses, including legal, forensic, and notification costs;
- network extortion payments and associated expenses;
- digital asset loss, including the cost of replacing or restoring corrupted data; and
- business interruption loss.
In line with market conditions, the underwriting process has become more rigorous. Coverage availability and insurability now require organizations to implement network security measures such as multi-factor authentication, endpoint detection and response solutions, and cybersecurity hygiene training regimes.
Breach response planning, including IRPs and WISPs, are often a pre-requisite for cyber insurance.
Cyber Extortion & Ransomware Investigations, Negotiations and Settlements
Responding to cyber extortion requests can be overwhelming.
Resolving incidents effectively often requires external experts. They will engage with threat actors to (i) assess their legitimacy and demands, (ii) investigate the extent of locked or stolen data, (iii) develop negotiation strategies, (iv) manage the settlement process and (v) work to recover affected data.
To minimize vulnerability, organizations should:
- test and validate backups regularly;
- conduct system audits and user training;
- maintain IRPs and WISPs offline with advisors;
- maintain cyber insurance policies; and
- archive or delete unnecessary data.
Cyber Incident Reporting
Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to:
- report data breaches to regulators and individuals in certain circumstances; and
- keep records of all breaches.
Section 10.1(1) and (3) of PIPEDA requires organizations to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada (OPC) and affected individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. Reporting must be completed in a prescribed form “as soon as feasible” after the determination of a breach.
Under section 10.1(8) of PIPEDA, a real risk of significant harm (“RROSH”) is assessed based on: (i) the sensitivity of the personal information (e.g., genetic and biometric data, financial information, religious beliefs), and (ii) its probability of misuse (e.g., accidental disclosure or malicious intent, the quantity of personal information breached).
Section 10.3 (1) of PIPEDA requires all breaches of security safeguards to be recorded. The OPC may request access to, or a copy of these records.
PIPEDA makes it is an offence, punishable by a fine of up to $100,000, to knowingly contravene RROSH breach reporting and mandatory record-keeping requirements.
Organizations must be especially cognizant of their privacy obligations regarding cyber incidents in light of Bill C-27. The proposed legislation subjects organizations to fines of up to $25,000,000 or 5% of gross global revenue for offences.
Takeaways
Cyber resilience presumes, rightly, that it is not a question of if but when and how your organization will suffer a breach of its cyber security safeguards.
The importance of proper security safeguards and a trusted team of expert advisors cannot be overstated. Industry reports show that strong incident response and resiliency plans lower an organization’s cyber security incident costs significantly.
For a cyber resilience check-in, please contact a member of our Privacy, Data Governance and Cybersecurity Group.
This publication is intended for general information purposes only and should not be relied upon as legal advice.
