Written by Ruth Promislow, Michael Whitt and Noren Howg
The recently announced federal government cybersecurity certification program is targeted at small- and medium-sized enterprises (SMEs), but larger organizations should also take note.
All organizations are subject to cyberattack—regardless of their size or industry. Of course, managing these risks is more challenging for SMEs with limited resources available to implement a proactive approach.
The risk of cyberattack for SMEs is also a risk for larger organizations: SMEs often provide services to larger organizations and thereby expose the larger organization to their cyber risks. The most notorious example of this is the Target breach where intruders gained access to the Target system through the HVAC supplier. The exposure becomes more pronounced when the SME is contracted by the larger organization to process any personal information on behalf of the larger organization. The lack of security of a SME therefore becomes a lack of security for the larger organization.
On August 12, 2019, Finance Minister Bill Moreau announced the launch of a certification program called CyberSecure Canada. CyberSecure Canada is a partial response to the needs expressed in the National Cyber Security Strategy for the Government of Canada, aimed at supporting small and medium businesses by making cybersecurity more accessible. The initiative targets small- to medium-sized business, but all businesses in Canada are eligible for the certification program, including all not-for-profit and for-profit organizations.
For a business to obtain certification, it will need to adopt a number of cybersecurity controls. These controls include:
- develop an incident response plan;
- automatically patch operating systems and applications;
- enable security software;
- securely configure devices;
- use strong user authentication;
- provide employee awareness training;
- backup and encrypt data;
- secure mobility;
- establish basic perimeter defences;
- secure cloud and outsourced IT services;
- secure websites;
- implement access control and authorization; and
- secure portable media.
Having robust consent, collection, retention and secure destruction procedures in place is also required.
A business that complies with all of these controls, as demonstrated through an audit conducted by an accredited body, can become CyberSecure certified and permitted to use the CyberSecure Canada logo. Once obtained, certifications will be valid for two years. When an organization’s certification expires, the organization will have to apply for recertification.
Focusing on a cybersecurity strategy and working towards certification should provide businesses with some essential tools and frameworks to help mitigate cyber risks and to respond to cyber incidents. Implementing these controls (and then obtaining certification) also helps organizations address their obligations under the applicable privacy legislation to safeguard the personal information they collect.
For larger organizations, the certification of their third-party suppliers/vendors would likely be helpful in managing legal exposure from a cyberattack against the third-party. When dealing with a third-party supplier in the processing of personal information, an organization is expected to have some basis for selecting the third-party and entrusting them with the processing of the personal information. Failure to have a basis for doing so exposes the larger organization to liability in the event of an attack on the SME involving personal information that has initially been entrusted to the larger organization. Further, a larger organization could also have exposure in the scenario where they provide a third-party supplier with access to their system (such as in the Target breach) without any basis for being satisfied that the third-party had taken appropriate steps to manage cyber risk.
Managing cybersecurity risks involves looking beyond the risks within your own four walls. A third-party supplier’s failings may expose your organization to risk down the road. Being proactive involves looking at all of your organization’s contractual relations and assessing where operational risk may arise and what may be done to mitigate that risk, including possibly requiring third-party vendors to obtain a CyberSecure certification (or some other form of certification).
Bennett Jones' Privacy & Data Protection practitioners are available to help businesses in need of assistance in these areas. To contact us, please feel free to connect with any of the lawyers listed on our Privacy & Data Protection page.