En raison de la grève de Postes Canada, il y aura un délai dans la livraison des livres.

FREE Membership Sign in

JavaScript is disabled in your browser.

In order visualise this page, please follow these steps.

Many companies unaware of legislated cyber obligations

By Kate McCaffery | Oct. 1, 2024, 10:58 a.m.

Photo: Freepik | vectorjuice

While 24 per cent of successful cyber attacks or breaches were estimated to have cost more than $500,000, according to the latest report by NOVIPRO Group and IBM, there are legal penalties which could apply as well if companies are not in line with recent legislative updates. These include Law 25 in Quebec and the federal Bill C-27 which contains proposed legislation related to consumer privacy, data protection and artificial intelligence (AI).

In Quebec, Law 25 addresses data protection and data breach notifications. “Nearly one third of respondents were unaware of Law 25 and Bill C-27,” say authors of the NOVIPRO Group and IBM report, IT Trends 2024. “This lack of awareness is particularly concerning with regards to Law 25, which is already in effect and governs all companies with customers in Quebec.” Even within Quebec, they say 17 per cent of respondents weren’t aware of Law 25. This number jumps to 28 per cent across the rest of the country. The technology industry report surveyed 297 IT decision makers, 80 non-IT managers and 76 decision makers who were not managers or working in IT.

Violating Law 25 reportedly carries with it administrative penalties – fines of up to $10-million or two per cent “of the enterprise’s worldwide turnover for the preceding fiscal year – whichever is greater,” according to a briefing on the topic by Osler, Hoskin & Harcourt LLP.

Similar reporting by law firm Dentons states that organizations face similar maximum penalties – this time administrative penalties of $10-million or three per cent of the organizations’ gross global revenue in its previous financial year, whichever is higher for violations of Bill C-27. (Note that this bill, not yet law, is currently under review by a House of Commons standing committee.)  Organizations which knowingly contravene the law and commit an indictable offense could also be liable for a fine of $25-million or five per cent of the organization’s gross global revenue.

“The convergence between law and engineering is transforming companies’ approaches to cyber security,” the IT Trends 2024 report states. “Asset inventory, long neglected in cybersecurity, is becoming crucial. Companies, driven by new legislation, are now seeking to keep these inventories up to date.” They also note more rigorous supplier management programs in place for some companies. “Canadian companies must move beyond legal compliance and integrate cybersecurity into their operational strategy.”

Data governance

Among the report’s findings, 68 per cent said they have data governance processes, or they are considering implementing them. This number jumps to 84 per cent among financial services firms. Just 68 per cent overall offered cybersecurity training last year, while 57 per cent of respondents said their companies had a business continuity plan implemented.

Notably, 21 per cent of respondents said their company had been the victim of a cyber threat. The report also states that 40 per cent of cyberattacks reported came from internal actors. Only 29 per cent said they had cyber insurance. More, 31 per cent indicated that their company has no plans to acquire coverage.

Cyber insurance

“Companies with more than 100 employees are far more likely to have obtained cyber insurance. Smaller companies may wish to purchase insurance but are unable to take on the double burden of insurance costs and required investments in security measures,” the report states. “Insurance policies are driving investments in security measures; every year insurers add new measures that companies must meet in order to qualify for cybersecurity insurance.”

The most popular in P&C

Resilience riders: insurers in the vanguard