Canada: Cyber-Attacks: Why Any Business May Be At Risk And Five Possible Ways To Address The Risks

In this article, Stikeman Elliott's Vanessa Coiteux reminds us that the risk of cyber-attack is by no means confined to businesses in certain industries. She identifies five cybersecurity risk factors that apply to most or all businesses and discusses how to address them. These observations will be of particular interest to corporate directors who, as the article notes, increasingly have to take the risk of cyber-attacks into account – including in situations where the acquisition or sale of a business is being contemplated.

  • "This is not a big public company!"
  • "This is not a financial institution or a retail company!"
  • "There must be more valuable information to hack out there!"
  • "Putting cybersecurity measures in place is costly!" 

These are just some of the reasons why some companies do not think of themselves as at risk for a cyber-attack and are reluctant to address the full range of cybersecurity risks. However, the conception of cybersecurity risk underlying these comments is outdated: in a highly-connected world where almost every business uses cellphones, computers or electronic payment systems, this line of thinking can lead to a security oversight that ends up costing the business financially, reputationally, or both. The reality of 2016 is that, regardless of its size or industry, any business may be at risk of a cyber-attack.

Recently, interest in cybersecurity has skyrocketed amongst board of directors and executives. According to a survey conducted in 2015 by the information security organization ISACA,1 among the global business and IT professionals from 129 countries who responded, 86% believe that cyber-attacks are among the three biggest risks faced by organizations today. Their concern regarding cyber-attacks is understandable, as the costs and risks associated with cybersecurity have increased tremendously in the last few years.2 For example, a 2016 PwC survey indicated that cybersecurity-related incidents had increased by 160% on a year-over-year basis.3

In this article, we will focus on five risk factors related to cybersecurity and five corresponding ways to minimize the risk of a cyber-attack.

Part I - Five Risk Factors

1. Thinking It Cannot Happen

Blindly believing that cybersecurity is not a concern can be problematic as it may condition management into not investigating whether there are any real concerns. According to the 2015 ISACA survey, only 46% of professionals expect a cyber-attack to strike their organization in the coming year, although a staggering 86% of professionals believe that it is one of the biggest threats that their organization is facing. Hence, there is a great discrepancy between how many professionals see cyber-attacks as a threat and how many actually think it will happen to their organization.

In order to determine if cybersecurity risks should be a concern, the management of a business should consider the three fundamental functions of cybersecurity, namely: confidentiality, integrity and availability.

  • Confidentiality: This refers to important or sensitive information that a business wants to keep confidential and private and to which only certain people or systems should be given access to. Does the business keep electronic copies of contracts, call for tenders, bids, lists of employees, credit card numbers, personal identifiable information and so forth? Or, more generally, does the business have any electronic information that stakeholders would not want to be disclosed to the public?
  • Integrity: This refers to the integrity of the business' systems and its consistency and trustworthiness over time to keep information assets complete, intact and uncorrupted. Are the IT systems secure? Does the business use different types of identification methods (biometry or security tokens, for example)? Do its employees have access to their e-mails on their phones or remote access to their computers? Does management have absolute confidence in the integrity of their systems at all times?
  • Availability: This relates to the importance of having all IT systems available for the continued operation of the business. Can the business operate without access to Internet or e-mails for a few hours, a day, two days or a week? Can the business operate without access to the information stored on its hardware? How long can the business continue to operate if it lost control of its cyber infrastructure?

If there are any concerns regarding any of the above functions, the management of a business should consider cybersecurity as a risk to be discussed with its legal and cybersecurity professionals.

2. Failing To Understand Where The Risks Are Coming From

Understanding issues with the business' cyber infrastructure is a key component in assessing cybersecurity risks. Being aware of malware, viruses or intrusions, service provider failures, physical security deficiencies (loss or theft of device or equipment), misuse of mobile devices, insider sabotage or misuse or failure of cloud applications is extremely important in detecting and reacting to a cyber-attack. Otherwise, the management of a business risks learning about a cyber-attack on the business' system from a third party such as a supplier or customer which may lead to reputational damage and the loss of goodwill for the business.

3. Failing To Take Into Account The Human Factor - The Weakest Link

When it comes to cybersecurity, "human factor" is the elephant in the room. More and more cyber criminals manipulate unsuspecting employees to gain access to an organization's confidential information. This method of exploitation, known as social engineering, is one of the most common ways of effecting a cyber-breach. According to a 2015 report, 95% of all espionage attacks that occurred in 2015 involved a practice known as a phishing scam which consists of tricking individuals into divulging sensitive information via a website link or through direct response, such as an email.4

For example, one can easily imagine the situation where all of the employees of a business receive an e-mail from an unknown source containing either a document or a link and a plausible reason as to why the document should be opened or the link should be clicked on.5  Is management confident that all of the business' employees would never open such a document or click on such a link? The consequences of even having just one employee inadvertently open the document or click on the link could be disastrous. For example, the business could be out of its e-mail server for numerous days. The fact is that hackers, phishers and malware are sophisticated and can harm, slow down or even paralyze a business.

4. Underestimating The Importance Of Preparedness

Another way a business may be at risk is if its management team underestimates the importance of being prepared. Being prepared involves both having a plan to prevent cybersecurity breach (pre-attack plan) and a plan on how to respond to a cybersecurity breach should it materialize (incident response plan). The importance of having both such plans in place is sometimes underestimated by the management of a business even though the consequences of not having such plans can be serious, and can include damages and fines imposed by courts and regulators. For more on this topic, see our previous article on cybersecurity.

5. Blindly Believing That The Business Has Adequate Insurance Coverage

In Canada, the cyber insurance market and its products are relatively new and still developing and evolving. As such, navigating through multiple policies, from general commercial liability policies, to errors and omissions, to network security and privacy policies can often be challenging. One common oversight is believing that traditional policies will provide the business with adequate coverage in case of a cybersecurity breach or a cyber-attack.  In general, such policies may only cover some of the risks associated with cybersecurity. Most of the time, data and other non-tangible goods that can be stolen in a cyber-attack may not be covered, meaning that many businesses may not understand the true cost of a cyber-attack to their bottom line. The true cost may not be negligible considering that cybercrime costs an aggregate of US $375 to $575 billion dollars every year globally6 and that according to a 2015 study by the Ponemon Institute, the average consolidated cost of a data breach in Canada was CAD $5.32 million dollars per occurrence.

To illustrate, imagine the situation where an employee takes a USB key containing over 1000 customer files in order to work from home, puts the USB key in his car and on his way home stops for lunch, then comes back to the car, and the USB key is gone. Traditional policies would normally cover the tangible object, the USB key itself. However, what is on the USB key and clearly what is more valuable, the intangible (the data), is typically not covered. Any damages associated with such a loss of data would also generally not be covered and could be devastating both from a reputational and a financial perspective.

Part II - Five Ways To Address The Risk Of A Cyber-Attack

There is no way to guarantee 100% protection against cyber-attacks but cyber risks can be controlled and mitigated by any business. Whether each of the following methods is appropriate or necessary for a given business will depend on management's appreciation of the facts and circumstances surrounding the business.

1. Consider Raising Awareness

Raising awareness with regards to cybersecurity within the entire business may minimize the risk of a cyber-attack. As mentioned in our previous article, cybersecurity is not only an IT issue. It is becoming an enterprise-wide issue that can require an interdisciplinary approach, including comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices as well as regular training of all stakeholders including employees.  For example, businesses can raise awareness by educating employees on common ways to gain entry to the business' system, such as phishing and phony e-mails, which in turn may reduce the likelihood that its employees will become attack vectors, the term commonly used in the industry to describe the means by which a hacker gains access to the business' network. Indeed, proper training can help reduce some of the risks associated with human factor.

To that effect, the Investment Industry Regulatory Organization of Canada (IIROC) issued in December 2015 a Cybersecurity Best Practice Guide. Although the guide is designed for IIROC dealer members, it contains several tips and guidelines that could be useful for any private or public company that wishes to raise awareness internally.

Furthermore, to raise awareness, a business can conduct various tests on its cybersecurity infrastructure to determine its vulnerability to cyber-attacks, either in-house or through the use of an external security service. Cybersecurity professionals from external firms, such as most of the large accounting firms, employ a wide array of tests that they can conduct on your systems to determine your vulnerability to an attack. The two most common tests are the "White box" and "Black box" tests. In a "White box" test, cybersecurity professionals will require some information on the business, examine its systems and determine its vulnerabilities by simulating a cyber-attack. In a "Black box" test, cybersecurity professionals will act as if they were hackers, meaning that they will not require any information or examine the business' cyber infrastructure before trying to hack into it; they will only simulate an attack to determine where and how its system is vulnerable and what kind of information would have been stolen or compromised had it been a real attack.

2. Consider Adopting a Robust Policy Targeted at Employees

In addition to raising awareness, another way a business may address the risks associated with human factor is by elaborating a comprehensive policy that informs employees on how to deal with the business' technology, its devices, its web applications (including email) and its electronic information as well as any personal devices that come into contact with the business' IT infrastructure.  In elaborating such a policy, management may consider:

  • using language that is easily understood by all employees – not only technology or security specialists;
  • specifying what constitutes intellectual property, confidential information, sensitive business information, and other assets which the policy seeks to protect;
  • emphasizing the importance of cybersecurity and explaining the potential risks to allow employees to understand what is "at stake" by using real life examples to which employees can relate to;
  • specifying what can or cannot be done with the business' technology, devices, web applications (including email) and electronic information;
  • specifying who is responsible for the policy specifically or cybersecurity generally;
  • specifying the hierarchy of who to contact if there are any questions or incidents as well as how to contact such persons; and
  • specifying the costs and consequences to the business and individual employees who fail to respect the policy.

In order to ensure that such policy is an effective tool, a business may consider regularly reinforcing its application through information sessions and internal communications (i.e. emails, videos, portal) and its compliance through proper audit and monitoring.

Furthermore, before drafting or adopting a cybersecurity policy, a business may consider using guidelines provided by the National Institute of Standards and Technology (NIST) in its Framework for Improving Critical Infrastructure Cybersecurity. The framework provides many practical and interesting tools and ideas for implementing, maintaining and managing robust cybersecurity policies and processes.

3. Consider Employing Safeguards in Contracting Processes

One of the major subjects treated by recent guidelines from regulators throughout Canada and the United States is third-party services and suppliers' contracts. In fact, "the number of security incidents at companies attributed to partners suppliers and third-party vendors has risen consistently, year on year".7 A business may wish to consider employing safeguards in its contracting process such as:

  • developing policies designed to assess and verify third party service provider's or supplier's cybersecurity infrastructure's performance;
  • exercising careful due diligence before entering into an agreement with third party service provider or supplier;
  • assessing the kind of information that the third party service provider or supplier will have access to and identifying such information as confidential and protected information in the contract with that party;.
  • requiring the third party service provider or supplier to provide adequate representations, warranties and covenants regarding its cybersecurity processes (including ongoing and regular testing and improvements) so as to have a contractual recourse in case of a cybersecurity breach that is attributable to the third-party service provider or supplier;
  • giving priority to third-party service providers or suppliers that have rigorous cybersecurity policies in place, as these relationships ultimately influence a business' risk profile and, where applicable, the premium of a business' cyber insurance policy; and
  • assessing whether its cyber insurance policy provides it with adequate coverage in case of a cybersecurity breach that is attributable to the third party service provider or supplier.

4. Consider The Need For Cybersecurity Insurance

Insurers in Canada recently started to provide clients with the possibility of subscribing to stand-alone cyber insurance policies, either by directly underwriting with insurers or through a brokerage firm. Cyber insurance is modular; there are various cybersecurity policies (information security and privacy liability, privacy breach response, media liability, just to name a few) that can be adapted to a business' needs. To better understand the type of insurance a business needs, insurers and/or brokers will typically circulate a questionnaire comprising of 40 to 50 questions to identify a business' strengths and weaknesses. Generally, the more robust the cybersecurity infrastructure and governance structure of a business, the less expensive the premium it will have to pay.

Also, management may consider consulting with legal professionals and cybersecurity specialists to help them with the process of subscribing to a cyber insurance policy. Many problems may arise from cyber insurance policies if they are not reviewed by seasoned professionals. For instance, the way one circumscribes the definition of "sensitive information" in a policy is very important because it might exclude some of the key assets and/or data of the business. Another example is that cyber-attacks are sometimes state sponsored or otherwise and therefore may be excluded if it falls under the classic "terrorism" exclusion. Additionally, exclusions must carefully be examined when dealing with a traditional policy.

5. Consider Legal Disclosure Obligations

a) Digital Privacy Act

In addition to continuous disclosure obligations of listed issuers, which we have already discussed in a previous article on cybersecurity, management may wish to consider legal disclosure obligations related to a cyber-attack.

In June 2015, the Digital Privacy Act (DPA), was adopted to amend the Personal Information Protection and Electronic Documents Act (PIPEDA)8 to, among other things, require organizations to notify the Privacy Commissioner and affected individuals of any breach of security safeguards involving personal information under an organization's control, if it "reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual". A business can be fined up to $100,000 if it fails to inform customers of the breach in a timely manner. In addition, the DPA will require that organizations keep and maintain a record of every breach of security safeguards involving personal information under the organization's control. Even though the obligation to notify will not come into force until related regulations are adopted, the adoption of the DPA itself sends a message to business and organizations to be vigilant.

b) Various United States Bills Adopted or Proposed

A first bill to adopt the Cybersecurity Disclosure Act of 2015 was proposed by Senators Reed and Collins of the U.S. Senate on December 17, 2015. The bill purports to promote transparency in the oversight of cybersecurity risks of publicly traded companies. In the form of "comply-or-explain", this bill proposes to require public issuers to disclose which member of its board has cybersecurity expertise or explain why such expertise is not deemed necessary at the board level. As of today, nothing of this nature has been proposed in Canada but it will be interesting to follow any development regarding the proposed U.S. bill in the coming year, as there is always the potential that Canadian regulators may follow suit.

The Cybersecurity Information Sharing Act of 2015 was adopted on December 28, 2015. This new act gives companies legal immunity if they share data threats and defensive measures with the federal government. As of today, no equivalent act has been adopted in Canada.

In conclusion, navigating the cybersecurity world is not always an easy task. From the testing of cyber infrastructure, to the education of employees, to the drafting of agreements with third-party service providers and suppliers, to selecting a cyber-insurance policy, many questions and uncertainties may arise. Being ready is key to fighting the cyber war. With trusted professionals at its side, a business may find that addressing this risk may be easier than it seems.

The author would like to thank Tania Djerrahian and Jérémie Ste-Marie for their contribution to this article.


1 See ISACA's 2015 Global Cybersecurity Status Report. The survey was conducted with 3,439 business and IT professionals from 129 countries including Canada.

2 See Fraser Institute, "Cybersecurity Challenges: For Canada and the United States", March 2015, p. 17.

3 See PwC's Global State of Information Security (GSISS) Survey 2016.

4 Verizon Data Breach Investigations Reports, 2013-2015.

5 According to the Government of Canada, 156 million phishing emails are sent every day, 16 million make it through filters, 8 million are opened, 800,000 links are clicked and 80,000 persons fall for a scam every day. Visit for more info.

6 See McAfee, "Net Losses: Estimating the Global Cost of Cybercrime", Center for Strategic and International Studies, June 2014 and Fraser Institute, "Cybersecurity Challenges: For Canada and the United States", March 2015.

7 IIROC, Cybersecurity Best Practices Guide, 2015.

8 PIPEDA applies to organizations under the federal jurisdiction and does not apply in provinces that have privacy legislation deemed substantially similar to the PIPEDA by the federal government. Currently, only Québec, Alberta and British Columbia are in such position. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.