Cybersecurity is increasingly making the headlines, particularly following the occurrence of incidents involving personal information leaks, sensitive information or the paralysis of all or part of an organisation ‘s operations.
Thus, the issues surrounding cybersecurity go well beyond the realm of technology alone. It is therefore essential that it be considered as such by the Executives, who are accountable for cybersecurity, when making strategic business decisions.
To do so, every business executive must have a minimum understanding of the subject and hold the answers to essential questions such as:
- What are the critical assets that my organisation ‘s operations depend on?
- Where are these assets located and who has control over them?
- How can I assume my responsibilities over information technology governance?
- What regulatory and contractual obligations must I assume?
- What are my partners and customers requirements?
- What requirements do we enforce from our suppliers?
- What security controls must be in place and what assurance do I have about their effectiveness?
Despite all the resources put in cybersecurity, risks cannot be ruled out. Therefore, it is of paramount importance for Management to know whether the organisation is prepared to deal with a cyberincident.
Recent events have raised the awareness of a growing number of Management who now realizes that cybersecurity has become a major concern.
However, there is still a long way to go to ensure that cybersecurity becomes tangible component of organisation’s culture in Canada. This is evidenced by the fact that cybersecurity is still too rarely discussed at the Board and Executive Committee level.
And yet the responsibilities of Senior Management with respect to cybersecurity do exist, particularly with respect to the protection of personal information.
This is specifically what Jean-François De Rico, legal counsel, partner and member of the Langlois law firm Executive Committee, spoke about at the Conference Forensik 2019 and on Forensik’s INTRASEC cybersecurity channel podcast.
Reporting obligations in the event of a cybersecurity incident
Even though Canada, and the province of Quebec in particular, have not yet implemented a legislative arsenal as binding as the one in effect within the European Union with General Data Protection Regulation (GDPR), the movement is underway to elevate the accountability of organisation leaders.
Thus, the Canadian legislator has undertaken to revise the Personal Information Protection and Electronic Documents Act (PIPEDA). It is now mandatory for organisations subject to federal law to disclose cybersecurity incidents involving personal information.
Not only do organisations must disclose such event to the Office of the Privacy Commissioner of Canada, they have the obligation to all individuals whose personal information was implicated in a breach. This regards any situation where it is ” reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”.
According to PIPEDA, such serious harm includes not only identity theft but also bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, negative effects on the credit record and damage to or loss of property.
Regarding the real nature of the risk, it is a question of considering the sensitivity level of the personal information concerned by the breach and assessing the probability that it might be used with a malicious intent.
Such instance necessitates the obligation to investigate and understand the origin of the incident, by determining:
- the type of attack;
- its voluntary or accidental demeanor;
- the targeted assets;
- the perpetrator;
- the perpetrator’s motive and intent to target the organisation or the individual.
When considering the consequences, the attack may result in a loss of information confidentiality but also in a loss of integrity (which might lead to harmful decisions, for example) or a loss of availability (in the case of ransomware or denial of service attacks).
In addition to the general reporting rules, organisation s may also be subject to specific requirements set forth within their industry.
For example, federal financial institutions in Canada must report any cyber security incident to the Office of the Superintendent of Financial Institutions (OSFI) as soon as possible, and no later than 72 hours after determining that the incident met one of the established severity criteria.
For its part, the Autorité des Marchés Financiers (AMF) expects financial institutions to inform it and the persons concerned of any breach of the confidentiality and protection of the personal information that they hold.
As mentioned earlier, it is a safe bet that this reporting obligation in the event of a cybersecurity incident will soon be extended by the legislator to all sectors of activity.
In all cases, proactivity and transparency are to be preferred.
So you have to prepare now!
What are the risks of a cybersecurity incident?
While organisations have never been more dependent on information and technology, it is clear that cybersecurity incidents can have a major impact on their operations.
These risks can be broken down into financial, reputational risk or even legal recourse on the part of the authorities, affected clients, or even cheated partners.
To minimize these risks caused by an incident, Management will need to demonstrate to stakeholders that it acted with caution and that it was not careless in order to retain the trust that was placed in them.
All these efforts should not be viewed as a pure loss or as a simple matter of compliance. In addition to the efficiency of the response to an incident, sound management of information security is likely to generate opportunities and allow the organisation to stand out in an increasingly competitive market, and in an era in which social acceptability in the face of attacks on personal information tends to be reduced.
How can it be done?
Proactivity is the key. It is obvious that one should not wait for the occurrence of an incident to act.
First, the CEO must appoint an internal or external information security officer. The same person may possibly assume the responsibility for the protection of personal information.
The important thing is that the security officer has direct access to Management. Ideally, he should be sitting on the Executive Committee to understand the needs and objectives of the organisation , advise the committee members, answer their questions and report on the organisation ‘s cybersecurity posture. His or her responsibilities would include:
- the establishment of an Information Security Management System (ISMS) relying on recognised standards such as ISO/IEC 27001 and eventually acquiring a security certification to demonstrate ‘a sound cybersecurity management with stakeholders;
- the definition and upkeep of a plan for dealing with information security and privacy risks;
- the continuous improvement of the organisation’s ISMS.
Thus, with the support of Management, the organisation would benefit from able to benefit with the support of its leaders from numerous benefits such as:
- a better understanding of the information that it holds and of its risk posture;
- the implementation of technical and organisational protection measures adapted to its needs and the risks that it is exposed to;
- the presence of management indicators to ensure the adequacy of the security measures in place with its legal obligations and contractual requirements.
As a result, the likelihood of a cyberincident will likely be reduced , should it happen, ensure that its readiness to respond with the result that the consequences thereof will be lessened.
In practice, this implies that Management needs to hire specialists such as cybersecurity experts from In Fidem and from Forensik’s cybersecurity incident management team.
To find out more and to discover our various support services, contact us!
Contributors : David Henrard et Claude Perreault