45 minute presentation to regulatory agencies in Ontario on cyber risks, prevention and response.

1. Presented By
Cyber security
for the regulator
and regulated
Dan Michaluk
October 18, 2021

2. Agenda
o The threat environment
o Cyber defence basics
o Incident response basics
o What you can do personally
2

3. THE THREAT ENVIRONMENT
Many organizations are
hiding in the noise,
waiting with fingers
crossed

4. o Inside out
• Errant e-mails
• Loss and theft
• Shadow IT
• Departing employees
o Outside in (“cyber”)
• Malware/ransomware
• Business e-mail compromise
• Misconfigurations
Inside out and outside in
Types of data security threats
4

5. o Attacks up by 150% in 2020
o Ransom payments are up more than 300% in 2021
o Double and triple extortion threat
• Lock up data
• Steal data and hold it ransom
• DDoS or doxing threat
o Market for insurance is hardening
• Premiums up 20% to 50%
• Higher retentions/deductibles, limits and co-insurance
• New conditions for coverage and harder vetting
The probability is high
Ransomware threat
5

6. o Incident response costs
• Operational drain
• Hard costs
o Business interruption losses
o Reputational harm
• What’s the impact on the business of ruptured
trust?
• Legal reporting/notification obligations require
full and unmitigated transparency
o Civil liability to employees, customers,
business partners and investors/shareholders
The severity is high
Ransomware threat
6

7. CYBER DEFENCE BASICS
Time to learn, take care
of the low hanging fruit
and build a program

8. o People are clearly accountable, and
someone is ultimately accountable
o That person engages deeply with the
executive team, who engages deeply with
the board
o Policy is recorded, understood and adhered
to
o Risks and readiness is systematically and
periodically assessed
o Translates into continuously evolving
defence in depth
To state the obvious
The elements of a good program
8

9. o The process of managing the deployment,
maintenance, upgrading and disposal of IT
assets
o IT asset = hardware, software or data
repository within the organization’s
technology environment (including cloud)
o Common problems
• Assets are adopted but not under
management
• Legacy technologies are vulnerable and not
integrated with current security technologies
Essential/foundational activity – asset management
Risk management
9

10. o Insecure remote access
• Exposed remote desktop protocol
• No multi-factor authentication and poor
password practices
o Vulnerability and patch management
o Poor implementation of least privilege
principle
o Poor network visibility
o Poorly implemented and untested backup
procedures
Common technical problems
Risk management
Coveware Q2 2021 Ransomware Report
10

11. INCIDENT RESPONSE BASICS
Have a usable plan and
prepare

12. o Why?
• It’s not if, but rather, when
• You’ll save time and make better
decisions
o The functions of a written IRP
• Establishes a protocol for reporting and
escalation
• Assigns decision-making power and
accountability
• Provides a framework to support strong issue
identification and management
Why have a plan? What’s a plan?
Incident readiness and response capability
12
SECURITY EVENT >> SECURITY INCIDENT >> DATA BREACH

13. o Simplify your incident response plan
o Learn about what may get you
• Pick four incident scenarios from the upper
right quadrant of your risk register
• Dive deep with your team into them over the
next year, learn about them, think about them,
discuss them
• Document your thoughts in a cheat
sheet/playbook
o Pre-retain your vendors – legal, incident
response, negotiator and communications –
and find ways to work with them
Things to do today
Preparing for an incident
13

14. o Timing is everything
• Match the “clock speed” and don’t rush
• You will need to communicate early, but must do
so carefully and without speculation
o Notify only based on the evidence
• Why pay for forensics if you’re going to notify out
of caution?
• Would a plaintiff, with the available evidence, be
able to prove file level access or theft?
o Consider threat intelligence sharing and
reporting to law enforcement – do your part to
help the community win the war
Dan’s top tips
Incident response practice
14

15. o Retain an expert negotiator to communicate on your
behalf, provide you with intelligence and check
sanctions lists
o Threat actors will typically honour their word, and
large and well-known actors are better
o If you’ve lost critical data you may have a
compelling need to pay
o Paying for deletion will not relieve you of any legal
obligation to notify – can’t prove deletion given rule
against hearsay
o Paying for deletion may actually prevent the
representative plaintiff, the regulator or the public
from gaining evidence of widespread leakage
To pay or not to pay?
Paying the ransom
15

16. Questions?
Questions?

17. For more information, contact:
The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on
any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered.
You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or
completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP.
© 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership.
Thank You
Dan Michaluk
Partner
416.367.6097
dmichaluk@blg.com