Cybersecurity incidents are becoming increasingly common and disruptive. In the Blakes 2022 Cyber Trends Study, we identified that ransomware attacks continue to be highly prevalent, representing over half of the observed incidents in 2021. Further, ransom payments continue to rise, with payments over US$100,000 becoming increasingly common and many payments exceeding US$1-million. In nearly half of all cybersecurity incidents we surveyed, the attacker was able to exfiltrate data.
Cybersecurity incidents can result in many kinds of losses, including reputational loss, financial loss and regulatory and litigation risk, among others. To help avoid these costs, organizations should proactively take steps to prepare for an incident. They should also ask important questions about cybersecurity practices and policies, and identify their risk profile and create a plan to treat those risks.
Moreover, legislators and regulators are increasingly focused on the issue of cyber-preparedness. Recently, the House of Commons of Canada introduced Bill C-26, which would impose a series of cybersecurity-related obligations on designated organizations in four key federally-regulated sectors: telecommunications, finance, energy and transportation. If passed into law, operators designated by that law would be required to, among other things, establish, implement and regularly review a cybersecurity program, which must include steps to identify and manage organizational cybersecurity risk, and take steps to mitigate any cybersecurity risk associated with its supply chain or third party products. For a detailed discussion of Bill-C-26, please see our Blakes Bulletin: House of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation.
Outlined below are some key considerations to help organizations prepare for the increasingly high risk of a cybersecurity incident. The list is by no means exhaustive but aims to provide a useful framework as organizations turn their mind to cyber-preparedness.
1. Build a multi-faceted cyber response team
Organizations often think of cybersecurity as a “tech issue” and assume cybersecurity falls within the exclusive domain of its IT team. In reality, a multi-faceted team works hand-in-hand to respond to a cybersecurity incident. While the IT team plays a critical role in the response process, they must work in close collaboration with other teams within their organization. Depending on the nature and size of the organization, this may include human resources, legal, some members of the C-suite, the privacy officer, business continuity and communications.
Each team member should have a clear mandate and the right resources available to understand their role. Identifying the right person to contact in each team in the event of a breach will help streamline the initial response. Often, the leaner the team, the better.
We also recommend identifying vendors that will complement your internal team for additional support. These vendors should at least include a breach coach and a forensic firm.
2. Develop a cyber incident response plan
A cyber incident response plan provides organizations with a standard framework to assess and respond to cyber attacks. Although in practice the plan often cannot be followed exactly as drafted because of each incident’s unique set of circumstances, organizations that have gone through the process of developing a plan are better equipped to respond. This is because the process of creating a plan provides key cyber response stakeholders with a holistic understanding of: the different types and phases of cybersecurity incidents; the vulnerabilities and risk profiles of their organization; legal and contractual obligations; and the key decision points.
Tabletop exercises are beneficial because they allow team members to practice the plan. It allows team members to become familiar with their roles, the inter-relationship among team members and the cyber response plan itself.
3. Establish a data governance framework
To effectively protect and respond to cyber incidents, organizations first need to have a holistic view of data and IT infrastructure assets, including what are the organization’s key crown jewels. Data mapping gives organizations insights into the types of data they hold and where it’s stored. This information can be used to identify and assess risks, and to establish appropriate data governance policies and procedures to improve data security and compliance.
A robust data governance framework not only allows organizations to ensure they have visibility into their data inventory but also enables them to assess risks, vulnerabilities, and opportunities relating to data and IT systems as well as the related policies and procedures that govern the retention and processing of that data. Organizations should know what data they hold onto, where the data resides, why they are holding it and who has access to it. Answering these key questions is essential not only to be better prepared for a cybersecurity incident, but also for other privacy obligations.
4. Routinely audit and test security
Organizations should not only implement security controls directed at preventing, detecting and responding to cybersecurity incidents, but should also routinely test the effectiveness of these controls. While the specific controls that are appropriate will vary from organization to organization, some examples include:
-
Installing and continuously monitoring outputs from automated endpoint detection and response tools
-
Undertaking an internal risk assessment (at least annually) to assess the effectiveness of the organization’s technical and administrative information security controls
-
Periodically engaging external cyber experts to audit the organization’s information security position, preferably against industry or recognized standards
-
Routinely undertaking penetration and vulnerability testing
To the extent the IT team leads the organization’s cyber audit and testing, the IT team should ensure it shares findings with the legal and risk management teams so that they can effectively mitigate against identified risks.
5. Supply chain management
Organizations should be mindful of cybersecurity risks throughout their supply chain, including evaluating supplier’s information security capabilities and compliance (e.g., through supplier assessment questionnaires and review of independent assessments) and, where possible, consider including contractual language to account for risks identified through the vendor diligence process. Although specific considerations will depend on each agreement, at a high level these provisions concern cyber incidents and the associated liability, imposition of standards related to data security and handling that meet or exceed the organization’s own cyber practices, compliance with applicable privacy and cyber laws, and incident response obligations (including notification requirements) as well as the ability to audit the supplier’s compliance with its cyber commitments. Organizations should also be mindful of indemnities and limitations of liability related to cybersecurity risks.
6. Educate and train staff
The Blakes 2022 Cybersecurity Trends Study found that in more than one-third of observed incidents, phishing was the source of the incident. Human error is often an organization’s greatest vulnerability. It’s important to ensure adequate cybersecurity training of all employees, privileged users, administrators, and executives. Depending on access privileges, your organization can consider requiring different levels of training. Topics should include how to detect and avoid phishing and other social engineering cyber attacks, how to spot potential malware behavior, where to report possible security threats and how to follow company IT policies and best practices.
7. Obtain adequate cyber insurance
Although cyber insurance is not a perfect solution, it can help mitigate against the financial losses that result from a cybersecurity incident and some of the costs associated with responding to the incident.
Organizations should assess whether this type of insurance makes sense for their business. If so, organizations should make sure they are purchasing the right coverage for the nature, size and risk profile of their business. Not all policies cover the same costs and coverage amounts vary.
8. Get buy-in from the top
As businesses digitize, cyber risk morphs into enterprise-wide risk and should be managed at the highest levels of every organization. This means Board members should be aware of, and routinely updated on, cyber-related risks. Additionally, buy-in from the Board and senior leadership is critical in ensuring that the cyber teams have the adequate resources and tools they need, while fostering a strong cybersecurity culture.
Our team is available to assist organizations in assessing their risk profile and creating effective solutions to mitigate these risks.
For more information, please contact:
Natalie LaMarche +1-416-863-2734
John Lenz +1-514-982-6308
Ronak Shah +1-416-863-2186
or any other member of our Cybersecurity team.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP