Managing cyber-risk

  • April 13, 2018
  • Shan Alavi

Risks, when left unchecked, can wreak havoc on unsuspecting individuals and organizations. This is particularly true with cyber-risk, but given the nascent cyber-risk insurance industry in Canada, the legal sector must learn to manage that risk by using various forms of insurance and risk mitigation strategies. The principles of information technology strategy formulation and project risk planning can provide inspiration in understanding and managing the overall legal ramification of cyber-attacks and data breaches.

While every Canadian business and organization faces some form of cyber-risk1, coverage is relatively new and it is far from universal.

Cyber-risk, in its present form, presents a large challenge for underwriters because neither frequency nor severity are predictable. Metrics for cyber-risk are also in the early stages of development, and models have been difficult to construct, due to the unpredictable human behaviours associated with cyberattacks. Another challenge is that not everyone who has experienced a cyberattack is willing to report it, making disclosure limited and insufficient.2

Commercial liability insurance has been most successfully used as a risk transfer option in countries that have mandatory data breach notification laws. In the United States, 47 states have mandatory data breach notification requirements. These laws are a driver for obtaining commercial liability insurance coverage as the costs for notifying affected individuals can be substantial.3

Something to watch out for is the reasoning in Columbia Casualty Company v Cottage Health Systems. Columbia sought to enforce an exclusion barring coverage for a data breach claim arising out of any

failure of an insured to continuously implement the procedures and risk controls identified in the insured’s application for this insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.4

The use of such exclusions indicates that insurers lack confidence in their ability to underwrite cyber-risks and invariably seek to shift these risks back on to the insured.5 Also, it has been suggested that organizations residing in Canada have been reluctant to purchase cyber-insurance because there were no mandatory data breach notifications requirements in Canada.6

All that changed with an amendment made to the Personal Information and Electronic Document Act – the first major amendment since the Act was enacted in 2001.

As part of the introduction of mandatory data breach notification requirements, organizations will be required to maintain administrative, technical, and physical safeguards that are commensurate with the sensitivity of the information. All breaches of these safeguards must now be logged.7

If a reasonable person would consider there to be a real and significant risk of harm to an individual as result of the breach of the security safeguards, the organization is responsible for:

  1. Reporting the breach to the Office of the Privacy Commissioner of Canada
  2. Notifying the affected individuals and
  3. Notifying third parties that could help mitigate the risk of harm. The legal test for risk of significant harm is made up of two elements:​

    Risk: This entails the sensitivity of the personal information and the probability that this information has or will be misused.

    Harm: This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identify theft, negative effects on credit record and damage or loss to property.8

Suggested methodology for dealing with risks

With new mandatory breach provisions coming into place in Canada, demand for cyber-risk insurance will increase substantially. As highlighted previously, creating these kinds of insurance policies is no easy task, and it will be several years before effective policies are in place. In the meantime, what should organizations do? In the short term, I offer the following approach for managing these risks: simply, insure some risks and mitigate others.

Utilizing the risk assessment methodology found in the Project Management Body of Knowledge, a globally accepted project-management standard, an organization and its legal team can determine top-level risks and rank them. Then, after ranking these risks, they can proceed to choose the appropriate solutions.

This involves working with a client and obtaining detailed feedback on possible risks. Ideally, this team should be composed of the client’s IT personnel with network security backgrounds, financial accounting staff, and the online marketing team to determine the largest cyber-related risks to the organization.

Once risks are identified, they can weigh the possibility of this issue occurring and assign it a ranking based on the number of risks present. Generally, lower-ranking risks can be handled with insurance policies.

Insurance coverage for larger risks may not be available in the Canada. If this is the case, then a mitigation strategy must be taken. Most technical/network data breaches would be classified as a high-weighted risk. To determine what technical or organizational aspects require improvements, one must turn to an organization’s automation level. In the IT consulting context, determining an organization’s automation level is essential to understanding its IT/business strategy. Generally, this means answering the following questions:

  1. What is the integration level between customer relationship software, supply chain management systems, and enterprise resource management systems?
  2. Where is your data kept? Is it cloud-based?
  3. What level of redundancy do you have for your critical data?
  4. Who are the custodians of this data?
  5. Have there been breaches in the past?
  6.  Are you up to industry standard in network security?
  7. Is any data in the care of one individual on one device?
  8. Are there an adequate employee computer use policies along with a network traffic monitoring system?

Answers to the above questions will reveal the technical and organizational limitations of a client’s information system. Once you have determined the level of automation, an action plan must be created to deal with these gaps and improve an organization’s overall automation level. In the end, clients will have to truly meld legal, IT, and business strategy into one overall strategic vision.

Conclusion

The legal industry faces a significant challenge with the emergence of big data, increase of cyber-attacks, and regular breaches of personal privacy. Until insurance policies can be crafted with greater certainty, legal professionals must take inspiration from consultants, investigate areas that cannot be adequately serviced by current insurance agreements and inform clients on how they can mitigate those risks. The role of legal professionals must evolve. Like consultants, they must determine a client’s weak points, fix the biggest weaknesses, and insure what risks they can with the most appropriate policies available in Canada. In some cases, the it may cost more than it’s worth to mitigate some risks, and an organization may just have to accept the risk. In the end, sometimes risk management is about living with some flaws while working to fix or mitigate the largest areas of vulnerability. A lawyer’s role is to help decide the risks of each course of action and recommend the best solution given the circumstances. As risks increase, so must our ability to advise and protect clients from the coming storm.

Shan Alavi is a privacy and technology lawyer and founder of Legal Minds Professional Corporation.

End notes

  1. David R. Mackenzie, “Data Risk, Privacy Breach and Insurance Coverage,” at page 6.
  2. Sarah Veysey, “Data scarce for insurers covering cyber risks .“
  3. Craig Harris,Cyber 2.0.”
  4. Columbia Casualty Co v Cottage Health System, 2:15-cv-03432 (CD Cal 2015) at para 26.O.1.
  5. David Bisson, “Columbia v Cottage: Enforcing the ‘Mistake Exclusion’ in Data Breach Insurance.”
  6. Sarb Sembhi, “An introduction to cyber liability insurance coverage.”
  7. “PIPEDA 2.0 New Governance Challenges”, Lexus Nexus (Webinar broadcast online, September 17, 2015).
  8. Ibid.