Page 24 - CCCA 259155 Magazine_Winter 2016
P. 24
{ FEATURE }
INSURING THE INEVITABLE
In-house lawyers should make sure their organization has a cyber He says the problem with a cyber breach is not just lost information
security insurance policy that covers their risk, says David R. Mack- or stolen money. It's the aftermath and clean up. A 2016 Ponemon
enzie, an insurance and cyber security lawyer at Blaney McMurtry Institute study says it costs Canadian organizations an average of
LLP, who tracks developments in cyber security insurance. He says $278 for each stolen record, and a typical incident ranges between
the insurance market covering cyber breaches is “getting more trac- $5.3 and $6 million—a number that keeps rising. “All sorts of peo-
tion,” and policies cover a wide range of things, from ransomware ple have to be involved in fxing it and making sure it doesn't happen
to denial of service attacks, which is when a website is bombarded again,” he observes.
with junk traffc and effectively shuts down. “You will never be able to eliminate risk,” Mackenzie notes, but by
However, he warns, not all policies are equal and the insurance building a strong security culture backed by policies and procedures
can be complicated. The policy language is also quickly evolving, that people follow, a company can reduce risks. “Know your busi-
as insurers learn more about coverage risks. ness, know your risks and deal with them the best that you can.”
say they never talk to the head of the IT department about data As cyber risk moves to the top of the corporate agenda, expect
security issues. a cyber security tsunami to wash over industries, with corporate
Those fgures concern cyber security expert Dan Tobok of boards and senior management asking tough questions about
Cytelligence Inc. in Toronto, “They need to have a breach re- the state of their company’s readiness. It is likely that much of
sponse plan,” says Tobok, who investigates between 25 and 30 the heavy lifting in terms of developing better breach response
cyber security breaches per month. plans and preparing policies and procedures to combat cyber-
Securities regulators are now taking aim at cyber security. crime will fall on the shoulders of the legal department.
Louis Morriset, Chair of the Canadian Securities Administra- So it is time for in-house lawyers to brush up on their cyber
tors, said in a September statement that his organization “has security risk knowledge. Here are nine essential things to think
identifed cyber security as a priority.” about as you embark on your cyber risk journey.
“Cyber security has evolved considerably” since the CSA issued
its last notice on the topic in 2013, he says, adding, “Attacks have 1 NO ONE IS IMMUNE
become more frequent, complex and costly for organizations.”
"It is crucial for us to improve collaboration and communica- Gillian Stacey, a lawyer at Davies Ward Phillips & Vineberg who
tion on cyber security issues with market participants. We want deals with technology issues, says clients tell her all the time that
to ensure they are aware of the challenges, have a suffcient level of they don't collect consumer credit card information or personal
information about clients, so they don't need to worry about
preparedness and are as resilient as possible against cyber risks."
Securities commissions are now reviewing cyber security cyber security.
risk disclosures from large, publicly traded companies and are “If you have employees,” she observes, “you have personal
meeting with some issuers “to get a better understanding of information.” Moreover, “there isn't a business today that can
run without technology. Every business is reliant on technology
their assessment of the materiality of cyber security risks and
cyber attacks,” the CSA said. The focus is on: to one degree or another.”
Laureen Seeger, General Counsel at American Express Com-
● cyber security risk assessment and information security gov- pany, warns on a recent podcast, “Everyone has something of
ernance programs; value that you don't want your competitors to possess.” Cyber
● IT safeguards and controls; sleuths covet things like customer lists, intellectual property and
● use of encryption; new product information.
● risks related to third-party service providers;
● vulnerability tests and compliance monitoring; 2 FIGHTING CYBERCRIME IS A TEAM SPORT
● evidence of regular employee training and awareness;
● incident response plans; and Cyber security is not simply the purview of IT or some-
● practices for accepting client instructions to withdraw or thing that can be dumped on the legal department
transfer funds via electronic means. alone to address. Rather, it is an enterprise problem.
Kirsten Thompson, who leads the cyber security, privacy and Lawyer Karen Burke, Enterprise Chief Privacy Offcer
data protection group at McCarthy Tétrault LLP, says the CSA’s at BMO Financial Group, says, “For us, cyber security
move “tells me that issuers aren't getting the message. Cyber se- management is a team sport. You need to have the
curity is a fairly new risk factor that needs to be disclosed.” right perspective and expertise.” That means build-
She warns, “You can't take a check-box approach. There’s a ten- ing a team of in-house experts featuring legal, IT, HR,
dency to shove this off to the IT group. This isn’t solely an IT issue.” privacy and communications, as well as external advi-
sors to call upon in the event of an incident.
24 CCCA MAGAZINE | WINTER 2016 HIVER
