While companies wanting to protect their reputation may hesitate to report cybersecurity breaches, they may soon have no choice but to be transparent and proactive.
KPMG’s national leader of cyber response, Kevin Fowler, foresees reports of breaches “skyrocketing” this year. This is due to upcoming changes to Canadian privacy law and guidance from securities regulators, according to CBC News.
The regulatory guidance and upcoming legislative changes say that Canadian companies should not just disclose more about cyberattacks than they did before, but also be more proactive about specific risks that could allow attacks in the future. With more known breaches, there will be more angry victims and a probable rise of lawsuits against companies, predicted Fowler.
The Canadian government passed the Digital Privacy Act in June 2015, which among other things required that Canadian privacy law be updated to include data breach notification and reporting regulations. A spokesperson from Innovation, Science and Economic Development Canada said that draft regulations are expected early this year. Imran Ahmad, a partner specializing in cybersecurity at law firm Miller Thomson, believes they will take effect by the fourth quarter of this year.
From that point on, organizations will have to document all breaches and inform users of any incident that poses “a real risk or significant harm.” That would include personal, financial, and security information that could be used for fraud or a social engineering attack. Ahmad said that companies who fail to log a breach or notify users could face a fine of up to $100,000, which he called “a step in the right direction.”
The legislative changes run parallel to guidance from the CSA. After surveying 240 publicly traded Canadian companies and finding that 40% failed to address cyber risks in their disclosures, the regulator said it expects issuers to “provide risk disclosure that is as detailed and entity specific as possible.” It also said that it will monitor companies for compliance.
“I think the next [question] is probably going to be, what is the enforcement action for non-compliance?” Ahmad said. “We're not there yet, but that's where we're headed.”
2017 compliance priorities announced
Regulators report cyber security disclosure findings