Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/1110658
13 CANADIANLAWYERMAG.COM/INHOUSE MAY/JUNE 2019 Findingaco-ordinatedapproach tocyber-threats Membership in organizations sharing threat intelligence and best practices in cybersecurity may form part of the expected standard of care. C yberattacks on Canadian businesses are increas- ing in volume and sophistication. Thankfully, Canada's approach to fighting such threats is also becoming more sophisticated — and, importantly, more co-ordinated. The Canadian Centre for Cyber Security, unveiled by the federal government late last year, has assumed a leadership role in the fight against cybercrime, collaborating with various levels of government and owners of critical infrastructure (such as energy and telecommunications companies). It has also increased its engagement with Canadian business, entering into an information-sharing pact with the Canadian Cyber Threat Exchange, Canada's first private sector hub for the exchange and analysis of cybersecurity threat information. The CCCS-CCTX pact highlights an important principle of cyber-defence that too few Canadian busi - nesses have embraced to date: that companies often face the same threats — from the same threat actors, using the same tools and techniques — and that they stand a much better chance of avoiding and recovering from attacks if they share threat information. Thankfully, a number of vehicles designed to facili - tate varying kinds of co-operation and sharing exist. Here are a few: Canadian Cyber Threat Exchange: This non-profit provides an exchange platform for members — in- cluding some of Canada's biggest companies, such as RBC, CN and Manulife — to anonymously share raw data from cyberattacks. Pooling member data with commercial data feeds and data from the CCCS, the CCTX is able to analyze threat information and iden - tify attack indicators and patterns. The end product is actionable threat intelligence that helps CCTX subscribers quickly identify threats and implement measures to protect against them. While there are sector-specific cross-border exchanges offering similar services, the CCTX's data comes ex - clusively from Canadian sources, ensuring threat data is relevant to Canadian entities. A fee structure based on organization size makes CCTX membership acces- sible to even relatively small businesses. Sectoral Information Sharing and Analysis Centers: Similar to the CCTX in its structure and offerings, a number of international ISACs exist to provide indus- try-specific threat data exchange and analysis for par- ticular sectors of the global economy. These include the automotive industry, financial services, retail and hospitality and health care. ConferenceBoardofCanada'sCyberSecurityCentre: This arm of the Conference Board provides members access to the Board's latest research reports and brings together executives from a cross-section of government, critical infrastructure and major corporations in a con - fidential forum to discuss emerging issues in cyberse- curity and to compare notes on current approaches and best practices for combatting cyber-threats. SERENE-RISC: Funded by the federal Networks of Centres of Excellence, this network brings cybersecu- rity academics from across the country together with private companies, government and non-profit orga- nizations. Working to bridge the gap between cyber- security theory and practice, SERENE-RISC gives businesses access to cutting-edge research and the op- portunity to share knowledge across industry sectors and academic disciplines. It is worth bearing in mind that a collaborative ap- proach to cybersecurity is not only good practice but may some day be the law. A settlement proposal tabled for court approval in a recent United States derivative action following a massive consumer data breach re- quired, as one of its terms, that the company join at least one ISAC. As Canadian case law in the data breach arena ma- tures, we may well see that membership in organiza- tions sharing threat intelligence and best practices in cybersecurity forms part of the expected standard of care for companies doing business in Canada. However you choose to stay informed, there's no question that when it comes to protecting your company from advanced cyber-threats, knowledge is power. IH Brent J. Arnold is a partner in Gowling WLG's advocacy department, specializing in commercial litigation, arbitration and cybersecurity. Risk Management Brent J. Arnold