|
Yula:
|
Sunny, we’re now into the second edition of the Blakes annual Canadian Cybersecurity Trend Study. What prompted us to start researching cyber incidents?
|
|
Sunny:
|
We noticed that our clients were experiencing breaches, and what we thought was this is starting to become more prevalent in the market. We wanted to get a better understanding of it. We wanted to make sure that we educated our clients. We found that creating these studies in other disciplines as well has proven very effective, so we started to look into it, and after a fair bit of hard work, we found that we were able to do something quite helpful.
|
|
Yula:
|
Now, the numbers from the study show that breaches are on the rise, particularly since COVID began. Is there anything our clients can do differently to mitigate the risks?
|
|
Sunny:
|
You can never guarantee that you won’t be breached. That is one thing that I think everyone who works in the cyber area knows and understands. The breaches are going to happen. What you can do is prepare yourself ahead of time, and that will help you mitigate the risks.
What we’ve seen over the past year is that ransomware attacks and other forms of attacks have increased, but the ransomware attacks have really increased. Not only in terms of their volume or number, but they’ve also increased in terms of their sophistication.
We’re seeing threat actors come into systems of companies’ months ahead of time, lay the groundwork, and then when they’re finished with that, they drop the malware, and they execute it and then they take it from there. And what that has the effect of doing is when the company is trying to recover backups, they may have been encrypted. When the company is, you know, trying to figure out what’s going on, how much should the ransom amount be that they will pay, they find out that the threat actor already has all of that information, and actually, you know, has profiled them by sitting there and monitoring their traffic internally. So, that is what I mean by the level of sophistication.
|
|
Mathieu:
|
Allison, the study shows that some industries have been more impacted by cyber incidents then others. Can you tell us more about that?
|
|
Allison:
|
Basically, all industries are at risk of a cyber-attack. In my experience, I’ve dealt with organizations from a variety of different industries. I’ve assisted non-profits, schools, professional-service firms, B2B manufacturers, amongst others. What it comes down to is an organization is more at risk if they don’t have a good security posture.
That being said, the impact of a cyber-attack isn’t felt uniformly. Typically, organizations in the health professional services and financial space are often more heavily impacted by a breach because of the information that they hold, which is typically personal information, confidential information, sensitive information
So, basically, an organization that holds thousands of individuals personal information, if they experience a breach will have to notify thousands of individuals and any appropriate privacy commissioner.
So, yes, some industries do feel the impact of a cyber-attack more than others.
|
|
Mathieu:
|
Tell me a little more about the nature of the incidents and the type of data that are most targeted?
|
|
Allison:
|
We’ve recently seen a huge rise in the number of ransomware attacks. This is incredibly significant.
In 2019, ransomware attacks comprised about 35% of the incidents that we dealt with, and then in 2020, it comprised just under 70%. So that’s almost double. And this is unfortunate and notable because typically ransomware attacks are the most devastating of breaches to an organization. They can really shut down a whole organization within minutes to hours.
And in terms of the data that’s most targeted, that would be personal information and confidential information because attackers can use this as leverage to increase ransom demands and also then sell on the dark web at a later date.
|
|
Yula:
|
Nicole, in last year’s study, the team reported that plaintiffs were meeting with mixed success in having privacy class actions certified. Has that been the same over the past year?
|
|
Nicole:
|
Yes, very much in 2019 and carrying into the first part of 2021. We’ve definitely seen a mixed bag again, certainly, some cases being certified, but also again, courts denying certification in cases, particularly where there seems to be an absence of damages.
That said, however, plaintiffs are not backing off. We’re continuing to see lots of privacy class actions being filed, and we expect that trend to continue, particularly as the privacy commissioner is ramping up its enforcement activity, and also if Bill C-11 passes, we expect that will fuel the trend as well.
One development I wanted to flag that didn’t make the presses for the cyber study, because it happened just this week, is that a majority of the Ontario Divisional Court actually ruled in a class action arising out of a cyber-attack, that an organization that has been the victim of a data breach can’t be held liable for intrusion on seclusion because in that scenario, they’re not actually an intruder — they’re the victim of a cyber-attack.
There may be further appeals coming out of that, and other types of claims are still going to be potentially available against organizations that have been victimized by cybercrime. That said, we see this as a positive development that will probably continue to fuel the trend of courts taking a hard look at some of these cases and trying to decide whether they should actually proceed.
|
|
Mathieu:
|
Alex, should individual directors and officers be concerned about personal liability for cyber incidents? How much are they exposed?
|
|
Alex:
|
So, Mathieu, I wish I could tell you that there’s absolutely no cause for concern on the part of directors and officers, and the news, honestly, isn’t all that bad.
Canadian common law has developed a very robust approach to the corporate veil, which certainly provides a degree of protection for directors and officers. But then again, in the U.S., we’ve also seen some claims framed as breaches of the fiduciary duty for a failure of oversight in relation to cybersecurity. So, for example, a plaintiff might allege that directors and officers didn’t exercise reasonable care and diligence in respect of a company’s approach to cybersecurity or a company’s association with a third-party vendor.
So, the good news, though, is that there are proactive measures that can be taken on the cyber-preparedness front. It’s very important for directors and officers to ensure that these issues are being discussed by the appropriate people in the company on a very regular basis. As we see in the study, this includes refreshing policies, being mindful about introducing new systems and processes, and ongoing training.
And so, on the issue of increased awareness, it was very interesting in the study to see that 40% of the publicly listed companies that were surveyed still don’t have a cybersecurity policy. Now, that’s a decrease from last year when approximately 60% had no such policy, but it’s still a pretty high number.
We also saw that only 17% of companies that indicated they maintained encryption protection measures for confidential and sensitive information, and only a third of companies indicated their employees participated in cybersecurity training and awareness programs. And these numbers should give directors and officers pause. Especially now that awareness of cyber threats is at an all-time high. Courts may once have been persuaded that they were emerging threats and directors and officers didn’t always need to be aware of them, but I can’t see that being the case now.
And so, while I’m not aware of an instance where a director and officer in Canada has been found personally liable for a company’s cyber breach, those claims are going to come. The claims themselves, they may or may not be successful, but directors and officers would be very well served to not just ensure the issues are being discussed and protocols are being implemented, but also to ensure that the steps are being properly recorded, which is, of course, a key step in litigation management that will protect not just the companies, but boards and management alike.
|
|
Mathieu:
|
When they call you, you must be able to sense how nervous they are about what’s my exposure in this?
|
|
Alexandra:
|
I can’t emphasize enough, Mathieu, how stressful a cyber incident will be for an organization. And often times, it’s the organization’s first foray into this type of crisis, and board and management are often tasked with multiple different roles, whether it be dealing with the media, responding to customers, responding to various stakeholders, regulators, law enforcement, etc. And so, it’s an extremely taxing endeavour at an organizational level. And so, your counsel’s job is to optimize your response from a number of different angles — mitigating liability, ensuring remediation, litigation management — in this inherently stressful situation.
The other thing that I would say about this is that our study found that only 23% of the organizations that we surveyed have a cyber-response plan. And those plans, while they’re not going to be able to make a cyber incident non-stressful — that’s not possible — they will mitigate that stress and significantly decrease costs in the right scenarios.
|
|
Mathieu:
|
Sunny, Allison, Nicole and Alex, thank you for your valuable insights and reminding us how important it is to be vigilant in a cyber world.
Listeners, for more information on our Cybersecurity group or to request a copy of our study, please visit blakes.com.
|
|
Yula:
|
Until next time, stay well and stay safe!
|
