To fully understand the potential exposure to cyber liability, it is important to understand (1) what factors increase the company's exposure and (2) the identity of individuals that are providing access to the confidential information. While many assume that hackers are the most likely culprits of cyber liability incidents, recent studies have shown that employees are the most cited offenders. It is quite common that employees unwittingly expose their company to cybersecurity threats in various ways including losing their mobile devices or being a target of phishing schemes. The PWC Survey of Canadian Private Companies highlighted this growing issue, when they found that 75% of cybersecurity breaches are driven by insiders. [1] Additionally, this survey determined that 42% of companies had not provided any employee training on cybersecurity. [2]

There have been numerous examples of the devastating effects of insider induced cybersecurity breaches. These include the accidental leaking of player lineup data on the DraftKings website, the Chelsea Manning scandal, and the Edward Snowden leak. Nevertheless, many companies still do not have any insider threat program. As a result, they are not prepared to prevent, detect and respond to internal threats.  Even where companies do have some form of a detection program, the issue remains regarding how companies respond. Often, when companies determine that an employee has deliberately perpetrated a breach of cyber security, they decide to deal with the issue internally, rather than involving law enforcement. In many cases, the employee is simply terminated and no further action is taken. This is illustrated by a PWC survey in the United States which found that 75% of companies did not involve law enforcement when they dealt with a cybersecurity threat. [3]  This statistic is particularly troubling because the employee is placed back in the marketplace to be hired by another unsuspecting employer.

Individuals with access to insider information are not only employees but may also be service providers, contractors, consultants, and others throughout the supply chain. All of these parties have the potential to access data through remote devices, online systems, databases, or manually. Therefore, each of these access points needs to be protected. A major concern for larger businesses is where they have smaller businesses in their supply chain. Hackers will often target these smaller companies as they tend to have lower security thresholds. Once the hackers have a point of access, they are able to gain entry to the larger company which, at the outset, appeared to have seemingly higher security standards. These tactics not only present devastating consequences to the cybersecurity of both companies, but also leaves the smaller business exposed to significant legal, financial and reputational issues.

This doesn't have to be the case. Businesses can combat their exposure by developing stronger cybersecurity policies, educating staff and exercising due diligence regarding vendors and suppliers. Additionally, although it may seem counterintuitive, collaborating with competitors is often a great way to protect your business. Companies can work together to discuss prior incidents and prepare a more unified response to cybersecurity threats. Despite the effectiveness of collaboration, the PWC Survey of Canadian Private Companies found that 61% of respondents weren't formally collaborating with others in the industry. While there were a variety of reasons for this, a notable excuse was the lack of trust between competitors. [4] Despite the reluctance, an important part of incident response is to collaborate with others, whether within the same industry or not, as this collaboration can lead to better solutions.

[1] "Balancing digital opportunity with cybersecurity risk" (2015 Tenth Annual Business Insights Survey of Canadian Private Companies), online: PricewaterhouseCoopers LLP
https://www.pwc.com/ca/en/private-company/publications/pwc-business-insights-cyber-security-2015-03-en.pdf [PWC 2015] at 5.

[2] Ibid.

[3] "Key findings from The Global State of Information Security Survey 2016" (30 Sept 2014), online: PricewaterhouseCoopers LLP [GSISS 2016] at 13.

[4] PWC 2015, supra note 1 at 6. 

www.lerners.ca

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.