Canadian organizations should look beyond country’s borders to see where cyber security regulation could go

Canadian organizations currently have it “fairly easy” with respect to cyber security regulatory requirements, but should expect that at least some of the changes now unfolding elsewhere will eventually become part of this country’s landscape, it was suggested during the ARC Group Canada Spring Seminar 2015 in downtown Toronto Thursday.

“I think, in the nicest possible way, Canada’s got it fairly easy right now,” said Paul Hanley, partner and national cyber security leader at KPMG Canada.

There is currently not many demands that “you must do this or you have to do this or you must respond in this timeframe,” Hanley told attendees. “This is how the U.K. and Europe were, say, 10 years ago.”

But Hanley’s view is that, overall, security regulation requirements are increasing. Canadian organizations wondering where cyber security-related requirements are headed would do well to look beyond Canada’s borders, he said. “One of the pieces of advice I always have is look at what’s happening in the rest of the world because there’s a good chance it’s going to be happening here,” he suggested.

“It is interesting seeing the difference between Canada and the rest of the world, in particular Europe,” Hanley told attendees. As one example, he cited the upcoming requirement in Europe that notes a privacy breach by an organization could result in a fine of 5% of global revenues.

“Now, 5% of global revenues is, for most organizations, a fairly big game-changer,” Hanley said, reporting that this is really focusing the intention of the organizations with which he deals.

Those who think the new rules have nothing to do with them should think again, he advised, pointing out that the legislation applies to an organization with even a small office or entity within Europe. “If you have a major data breach and those peoples’ details are compromised, this will be applying to you,” he said plainly.

A memo issued in October 2013 by Canada’s Office of the Superintendent of Financial Institutions (OSFI) offers guidance on cyber security self-assessment.

“Cyber security is growing in importance due to factors such as the continued and increasing reliance on technology, the interconnectedness of the financial sector, as well as the critical role that federally regulated financial institutions (FRFIs) play in the overall economy,” the memo notes. “OSFI thus expects FRFI senior management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks.”

Although OSFI noted at the time that it did not plan to establish specific guidance for the control and management of cyber risk, the memo added “OSFI may request institutions to complete the template or otherwise emphasize cyber security practices during future supervisory assessments.”

Hanley explained to seminar attendees that the quantity of information is increasing in organizations, adding the typical trend is “the sheer quantity of information is going up by about 56% each year.” Those kinds of numbers make it clear that steps should be taken now to secure information, he emphasized.

“Our view is always to deal with it now; don’t let it fester,” Hanley (pictured below) said.

Although “typically, security risks are getting higher across all sectors,” he said there are some positives, including that security is now being seen as a board-level agenda item, funding is now being made available to address the risks, and organizations are now seeking defensible position.

Another positive relates to threat intelligence. Twenty years ago, competitors would never share information, Hanley said. “What we’re seeing is a massive intake of organizations working collaboratively. Yes, they may all be competitors, but they will work together to try and defeat the bad guys,” he said, citing banks.

Of course, there are some continuing challenges with regard to cyber security. “Often the security function is operated independently of the business, so it doesn’t align itself to the business,” Hanley pointed out. “Good security teams will align themselves with the business. They will understand what the business strategy is and they will then align their security strategies,” he said.

It also helps to build a defensible position. Hanley said that an organization should understand what its risks are, needs to conduct the right sort of security review and needs to complete an assessment based on the information found.

“Then that allows you to start making your decisions about where you actually want to be,” Hanley said. Once risks have been determined, decisions can then be made to accept a particular risk or to take steps to remediate that risk, he explained to attendees.

“If you take this approach, typically you won’t have gaps. Typically, it will force you into getting security right in the organization,” Hanley suggested.

His recommendation would be that a company be able to show it followed best practice, had external experts review things, had good technical controls in place, had good patching and did cyber breach exercises, basically everything that it thought it could do.

“If you do that, I think that will significantly help you in a number of areas,” he suggested, such as avoiding fines from regulators and government entities, reducing backlash from customers and even receiving less attention from media.

“If you build your defensible position right, then actually you’ve got your security right,” Hanley suggested.

“Cyber security is not an IT discussion,” Hanley emphasized. “It’s a business-level discussion. There needs to be business people to answer,” he said.

“Wherever there’s technology, wherever there’s people, there’s always risk,” he said. “It’s about how you deal with it.”

More coverage of the ARC Group Canada Spring Seminar 2015: 

Stark consequences of a single failure illustrate importance of new era cyber protections

Slight uptick in buying cyber insurance, but still very low at 8%