Cybersecurity: 2017 Report & 2016 Reflections

What is a Cyber Event or Cyber Breach Event?

In 2016, "cyber" has entered the mind of the general public and the boardroom more than ever before.

Cyber events occur on, or are conducted through, a company's computer network in an attempt to gain unauthorized access to compromise the confidentiality, integrity or availability of the company's information, communication systems, or networks.

For the business community, cybersecurity incidents are intended to damage customer or stakeholder confidence, or financial, reputational, health or safety interests. These cyber incidents can affect an enterprise or group of commercial entities and their stakeholders. Preparing for cyber incidents has become an important risk-management focus for companies and their boards.

Cyber incidents are not restricted to ID theft or privacy breaches, and may also include things like:

ransomware; distributed denial of service (DDoS) or local denial of service (LDoS); web defacement; physical or infrastructure harm (control devices harmed, e.g., Stuxnet); theft of trade secrets, intellectual property, insider information; and loss of data integrity. Cybercrimes are often committed as a means to another end, typically to make money (theft of insider information from Wall Street law firms, in aid of criminal insider trading schemes; identity theft to compromise systems, or to perpetrate further commercial fraud such as bank and credit fraud).

In 2016, we saw non-commercial cyber incidents, such as "doxing", the publication of private information to the Internet (e.g., the Panama Papers information theft and disclosure, the Democratic National Committee email system information theft and disclosure, and cyber warfare attacks by national governments during regional conflicts in Estonia, Crimea, Ukraine, Syria, Egypt and Iraq).

Lessons Learned

Cyber breaches of 2016 have broadened our understanding of cybersecurity:

Cybercrime is becoming multi-pronged and no longer a simple breach or theft events. Cybersecurity threat actors are becoming much more sophisticated. No longer are cyberattacks reserved for closet computer enthusiasts or the Anonymous movement. Organized criminal elements have adopted elements of IT network systems and social collaboration and media (e.g., dark-web presence and sophisticated business methods, targeting, tools, and black markets for tools, stolen information). Cybercrime is being industrialized and scaled up at the social network scale. Targets vary; while credit card information remains attractive, new focuses on healthcare, law firms and governments have emerged, with gambits like ransomware and extortion becoming common. Cyber incidents may be the first event in a chain of criminal activities of some sophistication. Unsophisticated analytical models are no longer useful in tackling either prevention or response to cyber incidents. There is no activity more fruitful in avoiding cybersecurity risk than preparedness. Next Steps

To combat cybercrime, you will need to:

understand what information and systems your organization controls, and whether they are valuable targets; understand what can be done to harden your systems to be a less tempting target; prepare for a seemingly inevitable cyber incident by understanding what could happen, providing for early detection and response, and planning mitigation steps (such as an incident response plan, insurance coverage, response readiness); gain an awareness of local resources (law enforcement, IT response consultants, backup systems, external legal advisors); and become thoughtful about your information and your systems. Training your people about risks and risk avoidance is one of the most important steps. Your people are your best "intelligence agents" to enlist to protect your information and systems.

Bennett Jones has assembled a team with the skills, experience, expertise and connections able to help in cybersecurity preparedness and incident response and mitigation in the event of a cyber event. External legal counsel is an important element of your planning to deal with these types of problems.

Cybersecurity Governance: The Board's Role

When it comes to protecting your company's data, the most important place to start is the boardroom.

The cyberattack on Ashley Madison (the dating site for extramarital affairs) highlighted potential exposure for directors, should they fail to take reasonable steps to avoid and respond to an attack. The Joint Report between the Canadian and Australian Privacy Commissioners on the Ashley Madison breach does not expressly identify exposure for the company's directors; however, the report underscores that the standards expected of companies fall within the responsibility of the board.

The board's role in IT infrastructure matters is no different from its role in dealing with other risks in the business. The board's role is one of oversight. The directors do not need to be or become experts in cybersecurity or IT. The board can rely on management to design and implement the IT infrastructure; but the board should ask sufficient questions to be satisfied that the right issues are being considered and addressed. The failure of the board to take appropriate steps in relation to cybersecurity matters can expose the directors to liability.

Accordingly, directors should have a basic understanding of the company's IT infrastructure so that they can identify risks that the company faces and assess whether those risks are being addressed.

Assessing the Risks

The first issue for a director is to consider the nature and extent of the company's reliance on its IT infrastructure. A board should have a reasonable understanding of how the company acquires, uses and depends upon its IT infrastructure in its ordinary course of business. Based on that understanding, the next question is the impact that any degree of failure of the IT infrastructure may have on the company. The three key potential cybersecurity risks to the company may be categorized as follows:

Business operational risk: interruptions in the company's business operations. Liability risk: for example, class actions from individuals whose information has been compromised; regulatory non-compliance risk (including Privacy Commissioners and Securities and Financial Institution regulatory regimes, which provide requirements for management and reporting of material security breaches and vulnerabilities). Reputational risk: harm to company's reputation. Conclusion

Technology is a fundamental aspect of business value and risk. The issues involved go well beyond technological ones to fundamental questions of governance and risk management.

Developing Trends in Cybersecurity Regulation in Canada

Navigating the cybersecurity regulation in Canada (and elsewhere) has been a challenge for companies as it is an area of continued growth and change. Staying abreast of regulatory developments is critical for companies in...