#CyberFLASH: How much cybersecurity is enough?

cra-passwords-security_211076204-e1402005190177How much cybersecurity is enough? This question is as legal as it is technical. In legal terms, the question is answered by the applicable standard of care. The standard of care draws the line between conduct that renders a company liable, and that which does not. Where a company meets or exceeds the standard of care, it cannot be held liable in law for damages related to that conduct. In the context of cybersecurity, the standard of care may be established by a regulator, by the legislature, by contract or, retrospectively, by a court in the context of a lawsuit. This is rarely if ever done explicitly. Standards of care, typically are framed in “should” rather than “must” language. They are, often, technologically neutral, in the sense that they do not require a specific solution to a specific problem.

By way of example, most regulators prefer persuasive as opposed to mandatory regulation. Hence they prefer to issue “guidelines” or “advisories” to establish standards of care. Thus, for example, the CSA Staff Notice 11-326 Cyber Security is, as its name states, a notice, rather than an order or regulation. As a notice, it is not enforceable at the instance of the regulator, nor is there a penalty regime in place for failure to abide. That said, failure to comply would be a strike against an issuer, registrant or regulated entity in any proceeding that arises as a result of a cybersecurity breach.

Similarly, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued its Cyber Security Self-Assessment Guidance on October 28, 2013. While noting that many federally regulated financial institutions were already conducting assessments of their level of preparedness, OSFI suggested those institutions “could benefit from guidance related to such self-assessment activities.” While the guidance is neither a regulation nor order, per se, no one doubts that OSFI expects federally regulated institutions to abide by it, and that a failure to do so would have consequences in other forums’ proceedings related to cybersecurity breaches.

Read more here

#CyberFLASH: Canada – OSFI Releases Cyber Security Self-Assessment Guidance for Federally Regulated Financial Institutions

cyber security self-assessment

OSFI released Cyber Security Self-Assessment Guidance (the Guidance) for federally regulated financial institutions (FRFIs). While the Guidance only applies to FRFIs, service providers to FRFIs will feel a “trickle-down” effect and, therefore, should familiarize themselves with the Guidance.

With cyber attacks becoming more frequent and more sophisticated, cyber security has grown in importance internationally, as well as in Canada, in recent years. Earlier this spring, in response to its growing concerns regarding “the rapid evolution of cyber attacks in terms of frequency, fire power and targets,” the Office of the Superintendent of Financial Institutions (OSFI) identified cyber risk as one of its top priorities and indicated that one of OSFI’s new initiatives would be the “in-depth review of institutions’ current cyber protection practices.”

OSFI, Canada’s federal financial institutions regulator, indicates in the Guidance that it “expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks.” The purpose of the Guidance, as explained by OSFI, is to assist FRFIs to assess their current level of preparedness to address cyber security risks and to develop and maintain effective cyber security practices.

Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for FRFIs to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.

Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.”

Read more Mondaq (registered)

#CyberFLASH: Canada – Banks, insurers must watch out for cyber attacks, OSFI warns

Canada’s financial regulator is warning banks and insurance companies they need to beef up protection against advanced cyber intrusions from a growing list of actors.

“The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile for many organizations around the world,” the Office of the Superintendent of Financial Institutions said in a note earlier this week. “As a result, significant attention has recently been paid to the overall level of preparedness against such attacks by these organizations, including financial institutions…”

OSFI said it expects financial institutions to monitor their level of preparedness, and to this end it provided guidance on how companies should conduct a “self-assessment.”

Salim Hasham, an associate partner at PwC Consulting, said banks “have been at the forefront of [cyber] security for a long time” because they realize “they are really just very complex information organizations.”

“If you look at a bank today, it’s really just an IT company that takes deposits,” he said.

Read more National Post

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.