IT infrastructure, including data management and telecommunications, is becoming the nervous system, if not the brain, of many companies. The failure, interruption or security breach of this infrastructure, can have catastrophic business implications to financial institutions. With proper legal due diligence, corporate policies and contractual terms, the risks associated with the implementation of innovative technologies and cloud computing can be minimized.
The Cost of Cybersecurity
According to recent studies, the average cost of one security incident to an organization is $7.2 million. Yet in the financial services industry, the majority of organizations are spending only $1 million-$10 million annually on information security preparedness.
It is shocking to hear that most security breaches go unnoticed for a total of 205 days, allowing attackers time to further discover and infect an organization’s computer systems and syphon out valuable data. With multi-tenanted cloud service databases or shared technology platforms, the damages could be even more severe, as a single flaw or vulnerability in one area could allow an attacker to access not just one company’s data, but every other company on that system as well. Cloud service providers are prime targets, given the vast amounts of data that they often store, as well as the ease by which a criminal can sign up for their services to get access to their systems.
In addition, with the growth of the Internet of Things (IoT), more sensors and machines are coming online and communicating data without any human intervention, leaving vulnerable access points and further compounding risk. Other cyber threat access points include apps that are downloaded to employee mobile phones, tablets or laptops used for business under an organization’s bring your own device (BYOD) policy. Also, many open source software (OSS) programs used in proprietary software development are not secure.
Legal Best Practices for Cybersecurity
So what should a financial institution be doing from a legal perspective to address cybersecurity threats and ensure it is following best practices?
First, it needs to have up-to-date internal policies that cover current information security threats, data management, software development, OSS use, employee monitoring, employee privacy, BYOD, business continuity and disaster/data recovery.
Second, it needs to implement proper breach identification, assessment, blocking and notification procedures.
Third, a comprehensive review of all its legal contracts should be done, to ensure that they contain robust cybersecurity protection clauses and that there are no other terms in the contracts which could excuse an outsourced service provider or software and technology vendor from liability for their cybersecurity responsibilities.
Proper legal due diligence includes not just a document review, but also a risk assessment of the service provider and applicable legal jurisdictions, as well as compliance review of OSFI guidelines, Canadian privacy and banking laws, data storage requirements and third party relationship management.
New Contract Terms for Cybersecurity
Historical commercial contracts are no longer sufficient, as they fail to properly address cybersecurity. Key provisions of vendor and supplier contracts that need to be revised include definitions of “data”, “confidential information” and “material breach”, as well as terms dealing with confidentiality and permitted disclosure, service levels (SLAs), business continuity, testing, force majeure, audit, reporting, limitations on liability, disclaimers, warranties and indemnities, among others.
New provisions that must be added to commercial contracts include the definition of “information security incidents”, as well as terms dealing with security breach prevention and safeguards, security training, monitoring, identification, notification and handling of incidents, standards of encryption, data and storage media handling, testing and certification of deliverables and services for cybersecurity, security breach covenants including triggers and escalation processes, investigation and remediation assistance, impact statements and cost allocation for crisis management and public relations, among others.