With cyber attacks steadily increasing in sophistication, frequency and magnitude, we must ask ourselves whether Canada is ready to meet the challenge these threats pose to our economy, national security and the overall wellbeing of Canadians. Unfortunately, when compared to the United States, the United Kingdom or Germany, Canada is clearly lagging in terms of cyber readiness.
This is in part due to a lack of Canada-specific data on the types of cyber attacks affecting the public and private sectors in this country. While the pending mandatory data breach notification provisions under the Personal Information Protection and Electronic Documents Act will likely help in this regard, the notification requirement will be limited to personal information and won’t cover cyber attacks involving the theft of intellectual property, trade secrets or other types of critical business information. Within this environment, it’s understandable that the public and private sectors have struggled to develop an effective and comprehensive cyber strategy.
Nevertheless, last month alone, several positive developments within the public and private sectors signalled a real effort to move the yardsticks on Canada’s cyber preparedness. The first was Prime Minister Justin Trudeau’s mandate to his minister of public safety to lead a review of existing measures to protect critical infrastructure — utilities, transportation, financial sector, telecommunications, etc. — from cyber threats. Shortly thereafter, the Canadian Council of Chief Executives announced that it was establishing the Canadian Cyber Threat Exchange, a member-funded, not-for-profit organization focused on helping Canadian businesses and consumers protect themselves against cyber attacks.
Another private-sector initiative was the Canadian Advanced Technology Alliance survey on how Canadian businesses are responding to cyber threats. The survey results will provide a useful benchmark for businesses to critically assess their cyber-security readiness. Finally, the Investment Industry Regulatory Organization of Canada just published a best practices guide to help the investment industry adopt a voluntary, risk-based cyber-security framework that emphasizes the need for preparing effective cyber threat response plans.
These developments are clearly all positive steps in the right direction, but they need to fall within a broader national framework.
In the meantime, Canadian organizations remain highly vulnerable to cyber attacks and the legal implications that follow. That is why corporate directors and officers must ensure their organization’s cyber defences are up and that the organization is ready to effectively respond, should a cyber attack occur. Neglecting these oversight responsibilities can very easily expose directors to litigation for breach of their fiduciary duties. This is particularly true now, as many new class action lawsuits are being launched in Canada over data breaches resulting from cyber attacks — a trend we anticipate will continue to grow in the coming years.
In an effort to ensure they meet their legal obligations to protect the data and information entrusted to them, organizations can and should take concrete steps to improve their cyber defences. Recognizing that a successful cyber attack can have a serious impact on an organization’s reputation, result in years of litigation and affect business continuity, including loss of revenue, the following steps can be quick-wins that any organization can implement:
Know Where You Stand Map the organization’s networks and IT systems, including gaining a clear understanding of what the key business functions are, as well as where the organization’s critical data (i.e., the “Crown Jewels”) resides and how it is protected.
Deploy Cyber Monitoring Build a cyber-monitoring team tasked with meeting regularly to assess threat levels, discuss how to address gaps and make recommendations to management and the board of directors. The team should include key legal, business and c-suite executive stakeholders.
Audit and Test Cybersecurity measures should be audited and tested on a regular basis and results should be regularly reported to management and the board. This will ensure that the leadership team is aware of any potential cyber threats, that they understand the organization’s cyber-risk profile and can assess the effectiveness of current defences and are able to call for necessary remedial steps.
Train Employees Many cyber attacks are successful because employees did not receive appropriate cyber-security training. Employees need to understand the importance of protecting customer and business information and have solid grounding on how to make good judgments when faced with a potential cyber threat.
Have a Cyber Attack Response Plan Organizations have to expect that they will at some point be the victim of a successful cyber attack, with their network and data being compromised. The key to an effective response plan is to map out the key legal and business issues that will need to be addressed, how the organization will respond to each issue and who should lead and be accountable for each stage within the response plan.
As Canadians recognize that cyber threats within our connected society are the new norm, they can take some solace in the fact that the public and private sectors are taking steps to confront the problem. That said, the key question remains whether we will be able to develop an effective national cyber-security framework before the next attack compromises the personal information of Canadians, cripples our critical infrastructure or otherwise negatively impacts our economy.
Toronto-based lawyers Imran Ahmad, Marlon Hylton and Bernice Karn are members of Cassels Brock & Blackwell LLP’s cyber-security practice.