#CyberFLASH: How much cybersecurity is enough?

cra-passwords-security_211076204-e1402005190177How much cybersecurity is enough? This question is as legal as it is technical. In legal terms, the question is answered by the applicable standard of care. The standard of care draws the line between conduct that renders a company liable, and that which does not. Where a company meets or exceeds the standard of care, it cannot be held liable in law for damages related to that conduct. In the context of cybersecurity, the standard of care may be established by a regulator, by the legislature, by contract or, retrospectively, by a court in the context of a lawsuit. This is rarely if ever done explicitly. Standards of care, typically are framed in “should” rather than “must” language. They are, often, technologically neutral, in the sense that they do not require a specific solution to a specific problem.

By way of example, most regulators prefer persuasive as opposed to mandatory regulation. Hence they prefer to issue “guidelines” or “advisories” to establish standards of care. Thus, for example, the CSA Staff Notice 11-326 Cyber Security is, as its name states, a notice, rather than an order or regulation. As a notice, it is not enforceable at the instance of the regulator, nor is there a penalty regime in place for failure to abide. That said, failure to comply would be a strike against an issuer, registrant or regulated entity in any proceeding that arises as a result of a cybersecurity breach.

Similarly, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued its Cyber Security Self-Assessment Guidance on October 28, 2013. While noting that many federally regulated financial institutions were already conducting assessments of their level of preparedness, OSFI suggested those institutions “could benefit from guidance related to such self-assessment activities.” While the guidance is neither a regulation nor order, per se, no one doubts that OSFI expects federally regulated institutions to abide by it, and that a failure to do so would have consequences in other forums’ proceedings related to cybersecurity breaches.

Read more here

About canux
© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.