When it comes to managing the impact of cyber breaches, Canadian organizations have been comparatively lucky. Not because our companies are less prone to cyber-attack than their US counterparts: we are certainly not. But rather because, historically, Canadian companies have faced significantly lower costs, lower regulatory requirements and lower levels of litigation related to cyber breaches than their US neighbours.

The reality is that the US is currently one of the most expensive markets in which a company can experience a data breach. In part, this is because the US legislation related to Personally Identifiable Information (PII) is among the most rigorous in the world and is widely viewed as the industry ‘gold standard’. But it is also because US firms have faced – and often lost – massive law suits related to data breaches.

Not surprisingly, US companies have invested heavily into cyber security capabilities, solutions and tools. According to some estimates, US-based financial services companies spent almost US$10 billion on cyber security last year.¹ The US government raised its own cyber security budget to US$19 billion for 2017, an increase of 35 percent over the past year.² Going forward, estimates suggest cyber security investments will top US$1 trillion between 2017 and 2021.

Canadian organizations have, until recently, avoided many of the costs, legislation and litigation suffered by their US colleagues. In fact, outside of Alberta, there is currently no specific legislative or regulatory requirement for Canadian organizations to notify individuals affected by a data breach. Current breach reporting ‘protocols’ (established by the Office of the Privacy Commissioner almost a decade ago) are voluntary. And, being characteristically Canadian, consumer litigation has also been slow to emerge.

A rising risk

Over the past year, however, these advantages have started to erode. And the risk for Canadian organizations has started to climb dramatically as expectations have changed.

The biggest change is on the legislative front. In June 2015, a new Digital Privacy Act (Bill S-4) was introduced, carrying some significant changes to PIPEDA, the current Canadian privacy act. At the time, the legislation stopped short of mandated breach notification, but these clauses are widely expected to be enacted in the fall of 2016, likely coming into force in 2017.

According to the new act, any organization that experiences a data breach will be expected to:

1. Determine a “real risk of significant harm” to anyone whose personal information was involved;
2. Notify individuals “as soon as feasible” if they face any “real risk of significant harm” to allow organizations to address containment and urgent issues;
3. Report a breach with any “real risk of significant harm” to the Privacy Commissioner, as soon as feasible;
4. Notify any third party that the organization experiencing the breach believes is in a position to mitigate the risk of harm; and
5. Maintain a record of the data breach and make these records available to the Privacy Commissioner.

While the wording within the mandate may leave some room for interpretation, it is clear that Canadian organizations will soon face higher costs, more rigorous regulatory requirements and – as a result – heightened risk.

Changing expectations

Interestingly, the new Digital Privacy Act also requires organizations to implement and maintain adequate security processes for safeguarding not only financial information, but also personal information. In at least one instance, this has allowed a US regulator to sue a private organization with perceived cyber security gaps, particularly when they have made false assurances about their cyber security practices to customers. Many expect that it will not be long before Canadian regulators take similar actions on the back of Bill S-4.

Legislation is not the only factor raising the risk level around cyber breaches for Canadian organizations. Consumer expectations in Canada have also changed, driven largely by a keen awareness of the protections enjoyed by US consumers south of the border. Simply put, acceptable industry ‘good practices’ to proactively protect and efficiently recover and notify victims after a breach have never been higher. And they are only expected to increase. Organizations who fall behind these growing expectations risk increased litigation, reputational damage and consumer loss.

As a result, we have seen a sharp increase in the number of law suits brought against Canadian companies over the past few years, some due to the belief that individual companies fell behind these industry ‘good practices’ to protect customer data and others because the companies are perceived not to have followed industry good practices in their response after the breaches were discovered.

The risks are clearly rising – not only as hackers become more sophisticated – but also as the fines, costs and reputational damages increase on the back of new legislation and heightened expectations.

 

Putting cyber at the top of the agenda

For Board Directors and Audit Committee members, the risks associated with cyber breaches should be front and centre on the quarterly agenda. The risks are clearly rising – not only as hackers become more sophisticated – but also as the fines, costs and reputational damages increase on the back of new legislation and heightened expectations.

The problem is that – according to our recent survey of Canadian CEOs – few Canadian organizations seem to think they are ready to deal with a cyber breach. Just 13 percent of Canadian CEOs said they were confident that they were fully prepared for a cyber event. Less than a third of respondents said they were intending to invest further into cyber security solutions. Only around a quarter viewed cyber security as a ‘top risk’.³

 The reality is that cyber criminals have evolved and aren’t just focusing on financial information. Breach trends show an increased focus on Personally Identifiable Information (PII).

While this data may (rightfully) cause some concern for Board and Audit Committee members, it is also worth noting that Canadian CEOs seem to be taking personal responsibility for cyber security. In fact, more than nine-in-ten respondents said they were personally comfortable with the degree to which mitigating cyber risks was part of their leadership role.

Finding a cyber defensible position

When we work with Boards, Audit Committees and Executive Teams to improve their cyber security stance and respond to changing breach requirements and expectations, we often focus on identifying and articulating the organization’s optimal ‘cyber defensible position’. Simply put, the ‘cyber defensible position’ is a state that an organization can achieve that will help them ensure they are protecting the assets most important to them and in event of a breach will allow them to demonstrate proper cyber due diligence to minimize the impact from not only hackers, but also regulatory auditors and potential litigators.

There is no blueprint for creating the right cyber defensible position. There are no templates or worksheets. Rather, each organization will need to develop their own view of what is ‘defensible’ based on the various legislative, regulatory, industry and contractual requirements they face. Multiple other factors influence the position: current external risk assessments, the organization’s risk appetite, existing capabilities and systems, and future growth ambitions, to name just a few.

Once the optimal cyber defensible position has been identified, Boards and Audit Committee members will then want to work with their executive teams to assess their current cyber position, identify and measure the gap, and then work towards creating an action plan that – within a reasonable timeframe – moves the organization towards achieving that cyber defensible position.

Reducing the impact of a breach

The key is in taking action. In fact, recent legal cases in the US have demonstrated that the courts are more lenient with organizations that are able to prove that they have identified their weaknesses and are working towards an improved standard of security at the time of breach.

In Canada, recent research suggests that the average cost of a data breach already tops $6.03 million.⁴ Our experience tells us that achieving a cyber defensible position can significantly reduce these costs. Once the mandatory breach notification requirements of Bill S-4 come into play, these costs (and related savings) will climb.

The reality is that cyber criminals have evolved and aren’t just focusing on financial information, breach trends show an increased focus on Personally Identifiable Information (PII). PII is data that virtually every organization holds and therefore is at risk of cyber breach. And, as a result, virtually every company in Canada should be focused on assessing and improving their cyber security position. Whether you are protecting masses of personal health data or simply maintaining a small number of employee records, your organization could find itself facing significant fines and punitive damages if your cyber security is not up to expectations and regulatory requirements.

Boards, Audit Committee members and senior management should view the passage of Bill S-4 as a catalyst to improved cyber security and resilience. But we also believe that organizations will need to go beyond the letter of the law if they hope to properly manage their risks. Cyber security expectations continue to change and organizations will need to remain vigilant – of the threat and of public expectations – to survive.

This article originally appeared in the publication KPMG At Risk 2016.  Republished with permission from the author.

---

1 Cybersecurity Market Reaches $75 Billion in 2015; Expected to Reach $170 Billion By 2020, Forbes, Dec 2015

2 Cybersecurity Market Report Q3 2016, Cybersecurity Ventures

3 The race is on: 2016 Canadian CEO Outlook, KPMG in Canada, 2016

4 2016 Cost of Data Breach Study: Canada, Ponemon Institute LLC and IBM