Legislation in the works that puts obligations on companies involved in critical infrastructure
As cyber threats continue to intensify, and international political crises add to the threat landscape, many smaller organizations struggle to afford the insurance that courts and regulators expect them to have, says Brent Arnold, a partner at Gowling WLG specializing in cyber security.
Ransomware attacks are multiplying and becoming more sophisticated. In Canada, the average data breach costs more than $5.6 million, which is $1 million above the global average, according to IT World Canada. Simultaneously, Arnold says that financial protection against these cyberattacks is becoming increasingly out of reach for many smaller businesses and organizations.
“It's getting more expensive. There are fewer insurers willing to provide it. The hoops that a company is going to have to go through to qualify for insurance – there's a lot more of them. That arrives at a time when courts and privacy regulators are expecting you to have it.”
The view of courts and regulators is that the product has been on the market for a while, so organizations should know it’s available and that it could mitigate their risk, he says. “But I don't know how sensitive they are to the fact that it's getting harder to get.”
Arnold says many of these smaller organizations are also prime targets for cyber-criminals if they are involved in critical infrastructure.
Bill C-26, which includes the Critical Cyber Systems Protection Act, passed second reading in the House of Commons in March. The bill would impose cyber-security obligations on companies deemed vital to national security or public safety. These include Canada’s banking and transportation systems. Arnold says Bill C-26 is Canada’s first cybersecurity law because while privacy laws are concerned with protecting individual privacy, Bill C-26 is focused on organizations’ obligations to ensure public safety.
“What if you're a small company in that critical infrastructure space, and you can't get insurance because no one will insure you?” he says.
The cybercrime ecosystem is no longer filled with attackers aiming only at financial gain but now includes state and state-sponsored actors furthering the interests of their countries and allies. According to the 2022 Microsoft Digital Defence Report, the war in Ukraine has produced a “surge in hacktivism,” with volunteer hackers attacking political opponents, allied organizations, and governments.
Russian hackers, either covertly aligned with the government or patriots acting on their own for the government, are attacking western businesses and anyone on the Ukrainian side of the war, says Arnold. On the other hand, “rogue actors” such as Anonymous are attacking Russian organizations and critical infrastructure, he says.
“It's not just crime we have to worry about, it’s global politics… We’re not just worried about the criminals. We're worried about the patriots. We're worried about the governments.”
The breadth of the international cyber threat landscape is growing, says Arnold.
Bill C-27, which enacts the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act, is currently before the House of Commons Standing Committee on Industry and Technology. The bill will replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s 20-year-old privacy law.
“It will also put in place a whole new administrative structure,” says Arnold.
Under Bill C-27, the privacy commissioner will have new auditing and order-making powers and can recommend fines to a new tribunal, which can reach up to the greater between $10 million or three percent of an organization’s annual global revenue.
“It replaces PIPEDA with something with more teeth,” he says.
This means companies that have not attended to their privacy obligations are in more danger if a breach occurs and the privacy commissioner finds they have not been doing everything required under the old law, says Arnold.
“We're not talking about a huge change in what's expected of companies. But the stakes for not having complied and made those efforts now are about to get higher.”