IT infrastructure, including data management and
telecommunications, is becoming the nervous system, if not the
brain, of many companies. The failure, interruption or security
breach of this infrastructure, can have catastrophic business
implications to financial institutions. With proper legal due
diligence, corporate policies and contractual terms, the risks
associated with the implementation of innovative technologies and
cloud computing can be minimized.
The Cost of Cybersecurity
According to recent studies, the average cost of one security
incident to an organization is $7.2 million. Yet in the financial
services industry, the majority of organizations are spending only
$1 million-$10 million annually on information security
It is shocking to hear that most security breaches go unnoticed
for a total of 205 days, allowing attackers time to further
discover and infect an organization's computer systems and
syphon out valuable data. With multi-tenanted cloud service
databases or shared technology platforms, the damages could be even
more severe, as a single flaw or vulnerability in one area could
allow an attacker to access not just one company's data, but
every other company on that system as well. Cloud service providers
are prime targets, given the vast amounts of data that they often
store, as well as the ease by which a criminal can sign up for
their services to get access to their systems.
In addition, with the growth of the Internet of Things
(IoT), more sensors and machines are coming online and
communicating data without any human intervention, leaving
vulnerable access points and further compounding risk. Other cyber
threat access points include apps that are downloaded to employee
mobile phones, tablets or laptops used for business under an
organization's bring your own device (BYOD) policy.
Also, many open source software (OSS) programs used in
proprietary software development are not secure.
Legal Best Practices for Cybersecurity
So what should a financial institution be doing from a legal
perspective to address cybersecurity threats and ensure it is
following best practices?
First, it needs to have up-to-date internal policies that cover
current information security threats, data management, software
development, OSS use, employee monitoring, employee privacy, BYOD,
business continuity and disaster/data recovery.
Second, it needs to implement proper breach identification,
assessment, blocking and notification procedures.
Third, a comprehensive review of all its legal contracts should
be done, to ensure that they contain robust cybersecurity
protection clauses and that there are no other terms in the
contracts which could excuse an outsourced service provider or
software and technology vendor from liability for their
Proper legal due diligence includes not just a document review,
but also a risk assessment of the service provider and applicable
legal jurisdictions, as well as compliance review of OSFI
guidelines, Canadian privacy and banking laws, data storage
requirements and third party relationship management.
New Contract Terms for Cybersecurity
Historical commercial contracts are no longer sufficient, as
they fail to properly address cybersecurity. Key provisions of
vendor and supplier contracts that need to be revised include
definitions of "data", "confidential
information" and "material breach", as well as terms
dealing with confidentiality and permitted disclosure, service
levels (SLAs), business continuity, testing, force majeure, audit,
reporting, limitations on liability, disclaimers, warranties and
indemnities, among others.
New provisions that must be added to commercial contracts
include the definition of "information security
incidents", as well as terms dealing with security breach
prevention and safeguards, security training, monitoring,
identification, notification and handling of incidents, standards
of encryption, data and storage media handling, testing and
certification of deliverables and services for cybersecurity,
security breach covenants including triggers and escalation
processes, investigation and remediation assistance, impact
statements and cost allocation for crisis management and public
relations, among others.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Canadian Office of the Superintendent of Financial Institutions ("OSFI") recently ruled that a bank cannot promote comprehensive credit insurance ("CCI") within its Canadian branches under the Insurance Business (Banks and Bank Holdings Companies) Regulations (the "Regulations").
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).