Cyber Snapshot: Key Findings From Our Recent Study

Cybersecurity is one of the hottest issues facing companies and organizations in Canada today. Despite this, many are still not equipped with a cybersecurity plan, and few resources are available that analyze cyber activity in Canada's marketplace. To fill this gap, Blakes pioneered the annual Canadian Cybersecurity Trends Study, now in its third year.

Below are five key takeaways from our study that were covered in a recent Blakes webinar:

1. Increase in Cyberattacks. The number and destructiveness of cyberattacks increased dramatically in 2021. Threat actors continue to evolve their methods, with the types of threats changing monthly. This means organizations must stay vigilant in updating their cybersecurity policies and educating employees about cyber-awareness.
2. Ransomware Attacks. Ransomware attacks continue to be the most common form of cyber crime. In a typical ransomware attack, a threat actor will encrypt an organization's system, rendering it useless, steal the organization's data and demand payment for a decryption key and for committing not to publish (and delete) the stolen data. Our study found that in ransomware attack situations, 56% of organizations chose to pay the ransom. The amounts of these ransoms are also increasing — in 25% of cases, the ransom paid was over US$1-million.
3. Reporting Requirements. Mandatory breach-reporting requirements currently exist under federal privacy legislation and in Alberta under provincial law. Quebec's reporting requirements are coming into force in September 2022 and will impose monetary penalties for non-compliance of up to C$10-million or 2% of an organization's worldwide turnover.
4. Litigation Trends. Privacy class actions are on the rise, but they are proving a challenge to certify. Courts will not accept general anxiety and distress over hacked personal information as a basis to award damages. Hackers, however, should be worried. In a recent precedent-setting case, a Canadian hacker was sentenced to nearly seven years in prison for orchestrating large-scale ransomware attacks and had to pay C$2.8-million to his Canadian victims.
5. Cybersecurity Due Diligence. Cyber due diligence is a critical step in mergers and acquisitions today. It should start with looking at the nature of the target's operations, its cyber sophistication, the transaction value, the data at issue, the timeframe and the potential liability. The process should also include an examination of applicable laws, an analysis of the target's IT infrastructure and an evaluation of their cybersecurity policies and practices.

For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.

© 2025 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.