Cybersecurity is one of the hottest issues facing companies and organizations in Canada today. Despite this, many are still not equipped with a cybersecurity plan, and few resources are available that analyze cyber activity in Canada’s marketplace. To fill this gap, Blakes pioneered the annual Canadian Cybersecurity Trends Study, now in its third year.
Below are five key takeaways from our study that were covered in a recent Blakes webinar:
Increase in Cyberattacks. The number and destructiveness of cyberattacks increased dramatically in 2021. Threat actors continue to evolve their methods, with the types of threats changing monthly. This means organizations must stay vigilant in updating their cybersecurity policies and educating employees about cyber-awareness.
Ransomware Attacks. Ransomware attacks continue to be the most common form of cyber crime. In a typical ransomware attack, a threat actor will encrypt an organization’s system, rendering it useless, steal the organization’s data and demand payment for a decryption key and for committing not to publish (and delete) the stolen data. Our study found that in ransomware attack situations, 56% of organizations chose to pay the ransom. The amounts of these ransoms are also increasing — in 25% of cases, the ransom paid was over US$1-million.
Reporting Requirements. Mandatory breach-reporting requirements currently exist under federal privacy legislation and in Alberta under provincial law. Quebec’s reporting requirements are coming into force in September 2022 and will impose monetary penalties for non-compliance of up to C$10‑million or 2% of an organization’s worldwide turnover.
Litigation Trends. Privacy class actions are on the rise, but they are proving a challenge to certify. Courts will not accept general anxiety and distress over hacked personal information as a basis to award damages. Hackers, however, should be worried. In a recent precedent-setting case, a Canadian hacker was sentenced to nearly seven years in prison for orchestrating large-scale ransomware attacks and had to pay C$2.8-million to his Canadian victims.
Cybersecurity Due Diligence. Cyber due diligence is a critical step in mergers and acquisitions today. It should start with looking at the nature of the target’s operations, its cyber sophistication, the transaction value, the data at issue, the timeframe and the potential liability. The process should also include an examination of applicable laws, an analysis of the target’s IT infrastructure and an evaluation of their cybersecurity policies and practices.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP