Cyber Security Risk Management in Canada: Nine Things Happening in 2017

In partnership with legal firm Miller Thomson LLP, we are taking a look at the key cyber security trends in 2017 that should be on every general counsel’s and risk manager’s radar.

The following is a quick overview of key security trends in 2017, with more details in the next section. If you’re interested in learning more about our risk management programs, email us at cyberrisk@fireeye.com or join us for a live event at the Vancouver Miller Thomson office on May 11 at 1:00 p.m.

1. Mandatory Data Breach Notification Is Coming

It is anticipated that regulations related to mandatory data breach notification, record keeping of breaches and fines of up to $100,000 for non-compliance will come into force later in 2017. This will require organizations to review existing policies or implement new internal processes for identifying and responding to data breaches.

2. Continued Growth in Cyber Security and Privacy Litigation

2017 will see continued growth of class action certification of cyber security and privacy actions and further reliance on torts such as “inclusion upon seclusion” and “disclosure of private facts”. Further, once the mandatory data breach notification requirement comes into force, it is anticipated that litigation in this area will increase.

3. Boards’ Oversight – “Business Judgment Rule” Should Prevail

Boards will increasingly be engaged in cyber security oversight by scrutinizing managements’ strategy and plans to effectively identify, mitigate and respond to cyber threats. Boards will move from a passive oversight model (i.e., simply being informed about cyber risks) to an active oversight model (i.e., being engaged in an ongoing dialogue with management about cyber risks).

4. Vendor Management – Beware of the Weakest Link

Recognizing that hackers may use vendors to access and compromise the purchasers’ network, organizations will increasingly scrutinize vendors’ cyber security measures. Formal vendor management programs and robust contractual language related to cyber security will continue to be adopted by public and private sector organizations.

5. Accelerated Adoption of Cyber Insurance

Canadian organizations will increasingly turn to cyber insurance as part of their cyber risk mitigation strategy. However, care will need to be taken that they obtain the appropriate type of coverage based on their particular cyber risk profile.

6. Internet of Things – New Entryways for Cyber Criminals

Emergence of new technologies and interconnectivity of devices comes with inherent cyber security risks. As the trend increases, so must the proactive diligence of both manufacturers and consumers of “smart” technology.

7. Disruptive Attacks and Their Effects on Canadian Businesses

2016 saw an increase in disruptive attacks on small and medium size business. The results vary from reputational loss to large financial payouts. 2017 seems to be following suit, and proactive preparedness is the key to tackling these attacks and minimizing their impact.

8. Cloud adoption – How to Protect Your Data in the Wild

Canadian organizations are increasingly moving their operations to the cloud, ranging from services to data storage. Data safeguarding policies should be prioritized early in the adoption stages, and processes around incident response and investigations aligned with the cloud vendors.

9. Evolution of Financial Threat Actors – New Sophistication Observed

Attacker methodologies and techniques are evolving, and the financial industry is observing an increase in sophistication of attacks. Loud intrusions are being replaced by stealth, and organizations must evolve their protective controls and processes to account for the shift.

What to Expect in 2017

2016 saw an alarming number of public and private Canadian organizations become victims of malicious cyber attacks and data breaches. Hackers did not discriminate who they targeted – victims included financial institutions, universities, hospitals, government agencies, retailers and manufacturers. The techniques they used were both sophisticated and varied, ranging from ransomware (malware that encrypts data until the victim pays a ransom) to advanced persistent threats (deliberate attempts to break into a particular organization’s network). Unfortunately, 2017 is shaping up to be another busy year for hackers who show no signs of slowing down.

The following nine key cyber security trends in 2017 should be on every general counsel’s and risk manager’s radar.

1. Mandatory Data Breach Notifications Coming

In June 2015, the Digital Privacy Act was adopted. It introduced several key changes to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Some of the changes that are anticipated to come into force this year include mandatory record keeping for all breaches, mandatory data breach notification, and significant penalties for non-compliance.

The mandatory data breach notification requirement, while not currently in force, will require organizations to give notice to affected individuals and to the Office of the Privacy Commissioner of Canada (the “Commissioner”) about data breaches in certain circumstances. Specifically, PIPEDA will require organizations to notify individuals and report to the Commissioner all breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual”. These provisions will be brought into force once the regulations are finalized, which is anticipated to be in the second half of 2017. They are likely to increase an organization’s litigation exposure as result of a breach.

The mandatory record keeping of all breaches of safeguards involving personal information under an organization’s control will require that organizations review existing processes or implement effective detection, reporting and tracking mechanisms to ensure compliance.

From an enforcement standpoint, violations of the breach notification or the record keeping requirements (e.g. covering up a breach, failing to notify or failing to keep records) can result in a fine of up to $100,000.

2. Continued Growth in Cyber Security and Privacy Litigation

Over the past five years Canada has seen an upward trend when it comes to litigation involving data breaches. Confidential personal and corporate information is at risk from a variety of threats, ranging from the exploitation of big data to clerical error, workers’ misconduct and criminal hackers. There are a number of common law and statutory tools available for victims to seek compensation in court following a breach.

At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cyber security and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel. We anticipate this trend to continue and to see the existing torts being further tested by the courts.

In parallel, 2016 saw courts certify and approve settlements for a number of cyber security class actions (e.g., R. v. John Doe, Drew v. Walmart Canada Inc. and Lazanski v. The Home Depot). We anticipate this trend to increase given the upcoming breach notification requirements.

3. Board’s Oversight – “Business Judgment Rule” Should Prevail

In managing and directing corporate affairs, Boards have an obligation to protect corporate assets (e.g., proprietary information, customer data, goodwill and reputation). This includes overseeing the systems that management has implemented to identify, mitigate and respond to risks, including cyber risks.

As a general rule, Boards should focus on the following:

  • High-level understanding of the cyber risks facing the organization, which can vary based on the industry and operations of the organization.
  • Potential impact on the organization (e.g., litigation, reputational harm, business interruption, etc.) and mandating management to implement measures to mitigate and effectively respond to these threats.
  • Understanding and overseeing the systems (i.e., people, policies and controls) that the organization has implemented to identify, mitigate and respond to risks related to cyber security, in particular with respect to incident response.

When it comes to cyber security, the Board does not require detailed technological understanding. Directors are entitled to rely on management and external cyber security experts. Ultimately, the “business judgment rule” should apply to decisions regarding issues related to cyber security oversight, so long as they abide by the core standards of care, loyalty and good faith that apply to Board decisions more generally.

4. Vendor Management – Beware of the Weakest Link

More often than not, hackers will gain access to an organization’s network by targeting a network-connected vendor who has weaker cyber security measures in place. Some of the largest data breaches were the direct result of hackers targeting vendors.

The most effective way to address this type of risk is by having an effective vendor management program (“VMP”) based on the following four key steps: (i) identify key vendors who have access to the organization’s network or data; (ii) identify an individual within the organization to liaise and oversee the relationship with the vendor (including compliance with cyber security requirements); (iii) establish guidelines and controls for vendor oversight; and (iv) exercise audit rights and/or verify maintenance of cyber security compliance certifications.

The most important part of vendor management is to ensure that the contract governing the relationship with the vendor clearly spells out cyber security expectations and specific obligations in this regard by the vendor (including the vendor’s obligations in the case of a breach). Moreover, organizations should not hesitate to regularly exercise audit rights or to verify the vendor’s compliance with any applicable cyber security standards (e.g., ISO 27001 or NIST).

5. Accelerated Adoption of Cyber Insurance

Globally, cyber insurance coverage has seen significant growth. In Canada, while the adoption rate has been slower, we anticipate the cadence to accelerate as organizations turn to insurance as part of their overall cyber risk mitigation strategy.

Broadly speaking, coverage under policies is typically divided into first party (i.e., expenses incurred in the immediate aftermath of a security breach) and third party (i.e., losses or damages caused to customers as a result of the incident).

That said, not all cyber insurance policies are equal and an organization should first assess its cyber risk profile and exposure. A clear understanding of where it stands on the cyber risk spectrum is critical in ensuring that an organization gets the right cyber liability coverage. This exercise will inform organizations when negotiating premiums about the services that should be included in the cyber policy.

While standard commercial general liability (“CGL”), errors and omissions (“E&O”), and directors and officers (“D&O”) policies may already provide some of this coverage, if an organization is not careful, there may be cyber-breach exclusions in those policies that may limit the type of assistance required to effectively deal with a cyber incident.

6. Internet of Things – New Entryways for Cyber Criminals

The continuous evolution of the Internet is often resulting in new technologies rapidly graduating from “niche” to “standard”, with interconnectivity and automation following suit. Smartphones are becoming the de facto control devices for a large number of components in our lives, and the number is growing.

Electronic locks, digital light switches, wireless thermostats, online baby monitors – how does cyber security fit in all this? Each new device being added to one’s network is a new door for cyber criminals to walk through. Unfortunately, companies trying to get a piece of the Internet of Things (IoT) pie are consistently forgetting to also include security controls required to protect these devices from being exploited by malicious actors.

A recent case illustrates the security challenges in the IoT world: Cyber criminals have exploited a security gap in the way Internet-connected teddy bears, CloudPets, store voice recordings of parents talking to their children. This lapse in data storage security controls allowed the attackers to gain access to hundreds of thousands of recordings and password-protected accounts, which were subsequently cracked due to simplicity of the passwords. The stolen information was held hostage by attackers demanding payment from the parent company in order to return the data and not leak it publicly. In another case, a DNS hosting provider was hit by a large scale Distributed Denial of Service (DDoS) attack, causing a wide scale outage in online platforms such as music streaming, payment services, video game networks, and other. The attack used a number of compromised IoT technologies to form botnets, which were then used to overwhelm the DNS host with malicious traffic. The majority of the compromised IoT devices had minimal or no security controls in place. The list goes on.

The adoption of the IoT is set to continue. Signs of expansion into self-driving cars, smart fridges, microwaves, and other seemingly trivial parts of our lives are bound to continue providing attackers new entryways into our lives – how we keep those doors locked is what organizations must prioritize.

7. Disruptive Attacks and Their Effects on Canadian Businesses

Another trend that has been steadily increasing in the Canadian space, and one that Mandiant has been heavily involved in investigating and remediating, is emergence of disruptive attacks against small- and medium-sized companies. The way these attacks are engineered is by compromising organizations with advanced targeted attacks and stealing confidential information. The data is then used to extort the businesses to pay out the ransom in order to receive their data back.

Attacks are not random, nor are they sloppy. The attackers spend a significant amount of time doing reconnaissance against the target, ensuring that the environment is immature from a security standpoint, and compromising systems weeks (if not months) before the extortion element. This provides the attackers understanding of the victim network and where the crown jewels are. Once the initial reconnaissance portion of the attack is complete, a spear phishing campaign is initiated in order to break into the organization’s network, compromise privileged accounts and exfiltrate large amount of data. The attacker then contacts company executives, demanding a bitcoin payment of $40,000 – $500,000.

In the past several months, an organized cyber criminal team falsely claiming to be the Tesla Team hacktivist group has been actively compromising a number of Canadian organizations by utilizing this extortion technique. The attackers utilized PowerShell tool to write their own malicious utilities, completely bypassing antivirus solutions. Stolen data was exposed via openly accessible websites, such as PasteBin and ThePirateBay, and each extortion case demanded anywhere between 100 and 500 bitcoins.

Some victim organizations opt to pay out the ransom, due to fears of reputational risks. Others go public and attempt to take on the breach with the assistance of dedicated Incident Response organizations.

Ultimately, the end results will vary, but one sure way of being prepared for such attacks is by proactively hardening your environment, conducting response readiness assessments, and maturing the cyber security program through development of industry leading policies, processes and skillsets.

8. Cloud adoption – How to Protect Your Data in the Wild

As organizations mature, so does their need for data storage and services. With the ever-increasing appetite for more room to store and process our data, companies are looking to the cloud as their solution. Some of these cloud services include Network as a Service (NaaS) and Platform as a Service (PaaS), as well as a myriad of HR and Payroll-related applications under Software as a Service (SaaS).

Adoption of cloud services often means trusting the cloud provider with a wealth of confidential information an organization may possess, such as Personally Identifiable Information (PII) and/or payment data. Mandiant has observed cases where attackers are creating malicious apps that utilize OAuth functionality to connect to target’s cloud services, such as emails and other resources. OAuth is a standard used to authorize sharing of information without passwords between applications. The victims are tricked via phishing emails into allowing OAuth permissions from malicious apps, which provides attackers uninhibited access to potentially confidential information that can be further leveraged to compromise the target. So how does one ensure the data is sufficiently protected while in the cloud?

When crafting a third-party vendor agreement, attention should be paid to the safeguarding of the data that will be stored in the cloud. This includes vendors providing information on their security controls, authentication and data protection policies, and data handling processes. The vendor should also clearly define their breach notification criteria and protocols, and ensure that internal incident response processes are aligned with the organization. Ultimately, the agreement should stipulate what event data and logs are available to the organization, in cases where an incident response investigation involves cloud-stored data.

Cloud is here to stay, and the Canadian market is rapidly adapting to the trend. It is imperative that organizations understand that security in the cloud is a shared responsibility. Even though cloud vendors have a role in securing their portion of the agreement, organizations are responsible for both access management and protection of their data. Companies should take the necessary proactive steps to secure their most important data in the earliest stages of transitioning to the new platform, and ensure that data classification and segregation, loss prevention, and privileged account management is extended to the cloud environment.

9. Evolution of Financial Threat Actors – New Sophistication Observed

While targeted cyber attacks have been observed increasing in both aggressiveness and intensity, the techniques have largely stayed the same over the years. As such, defensive technology and processes have evolved sufficiently in order to appropriately detect and block such attacks. But a new wave of sophisticated attacks have been detected by security organizations in the last several years that indicate a shift in attacker methodology, especially in the financial industry.

The so-called “smash and grab” strategy is being replaced by carefully planned out attacks, which emphasize stealth over noise. Gone are the days of generic phishing emails being blasted to thousands of employees, referencing a postal service warning of a pending package being delivered with misspelled email attachments that clearly indicate malicious intent. Nowadays, advanced attacks begin with carefully crafted spear phishing emails targeting specific individuals within organizations. Additionally, instead of using generic off-the-shelf commodity malware, attackers are using custom scripting backdoors and persistence mechanisms designed to avoid detection and counter forensic investigations.

Raising the sophistication bar allows attackers to remain on systems for longer, collect larger amounts of confidential data, and syphon it out while minimizing detection. Ultimately, the finesse line that used to be blurred between financial attackers and state-sponsored attackers is no longer existent, and organizations must be ready to face this new level of threat.

Streamlining intelligence-led incident response, threat hunting methodologies and security automation should be the priority for organizations hoping to match the sophistication level of these new attacks. Coupled with fundamental protection elements such as key application and network segmentation, continuous visibility and monitoring of critical systems, organizations should take proactive steps to protect their most precious assets.