Cybersecurity regulations likely to heat up in 2018

Cybersecurity regulations likely to heat up in 2018 | Insurance Business Canada

Cybersecurity regulations likely to heat up in 2018
Canada’s cybersecurity regulatory landscape is about to heat up a notch, with the long-awaited enforcement of Bill S-4, the Digital Privacy Act.

The Act, passed by the federal government in June 2015, enforces mandatory breach notification, which means organizations will be required by law to alert potential victims if their personal identifiable information has been disclosed in an unauthorized fashion.

Regulatory and legislative changes are a key section in Aon’s 2018 Cybersecurity Predictions Report. The insurer suggests: “In 2018, regulators at the international, national, and local levels will more strictly enforce existing cybersecurity regulations and increase compliance pressures by introducing new ones.”

It says organizations across all sectors of business will need to optimize their compliance programs to satisfy this increased cyber scrutiny by leveraging external experts, automation, analytics, and other tools to drive actual, risk-based cybersecurity improvements.

“Canada is going to see some significant regulatory and legislative changes when amendments to the Digital Privacy Act finally come into effect,” said Brian Rosembaum, senior vice president and national director, Legal and Research, ARS Canada. “The new regulations will clarify the obligations organizations are under to report breaches.

“The country is entering a mandatory breach notification regime and organizations of all sizes are going to have to develop a framework setting out how they will comply with the regulations if they haven’t already done so.”  

Privacy commissioners in Canada are tending to paint a “fairly rosy picture,” according to Rosembaum, in which they state companies are already doing what’s necessary with regards to breach protocols and procedures, including creating response plans, and understanding who to notify and when. However, this isn’t necessarily the case when it comes to smaller and mid-market firms, he said.

“The issue for small or medium-sized businesses is that they have to come up with protocols and procedures to determine whether or not an event causes a real risk of significant harm to individuals. There are criteria set out in the regulatory guidelines, the companies have to make those calls themselves,” explained Rosembaum.

As the cyber risk landscape evolves, Canadian companies across industry sectors will have to examine the controls they have in place to comply with multiple regulations.

Related stories:
Cybersecurity expert weighs-in on Meltdown and Spectre computer flaws
Alberta saw record number of privacy breaches in 2017