SMEs and cyber-risks: inertia is no longer an option

July 7th, 2016

Right now the real question is not whether businesses should manage the cyber-risks associated with their operations, but the issue is how they should do it

Serge LeBel, Partner, Lawyer and Administrateur de sociétés certifiés (ASC)

The risks related to using information technologies are numerous; they range from data theft to hacking to the complete paralysis of computer networks. Unfortunately, such risks change rapidly, making it impossible to eliminate them totally. It is a misconception to think that cybercrime is solely the concern of big business. On the contrary, small and medium-sized enterprises are easy targets because generally they have less sophisticated defense mechanisms. The time has come to follow the example of thousands of entrepreneurs and make the security and control of your IT system a priority.

Consider the hypothetical case of a company that is victim of a cyber attack that paralyzes its computer system. It becomes unable to process transactions or finalize orders, in short, do the things that are indispensable to the smooth running of its operation. Even worse, confidential data that belongs to the company or to its clients is stolen and the company will have to inform them about it.

Such an incident could seriously harm the reputation of the business, not to mention prove to be exorbitantly costly.

The company could also be exposed to legal proceedings if, due to inadequate management of its IT system, the attack affects third parties. That risk would be all the more real for anyone sitting on a corporation's board. Its directors have a duty of diligence and competence and would be severely criticized if it turned out they were negligent in managing the company's cyber-risks. A preventable cyber attack could be the basis for lawsuits against the directors and could compromise their position with the company or undermine shareholder and stakeholder confidence.

Be proactive: Adopt and apply a prevention protocol

To reduce the risks of a cyber attack and minimize the consequences should one occur, the best option would be to adopt a prevention protocol that features best industry practices, that applies to all the enterprise's activities and takes into account risks originating with third-parties, be they clients or business partners. This will require implementing and monitoring various protocol measures. Also, given the ever-increasing risks, a periodic review of the protocol and adaptation of new best practices will be necessary. In short, this is only a concrete application of the duty to act reasonably as regards risk management. Your businesses will also need to have purchased an insurance policy that provides sufficient coverage against losses that could potentially be sustained by you or third parties in the event of a cyber attack that results in data theft, extortion or hacking. You should also ensure that your policy protects you against lawsuits that may be brought against you as result of a breach of computer security.

Given that cyber-risks are a relatively new phenomenon, businesses should review their insurance policies. Consider the Sony case, in which the New York State Supreme Court held that the consequential damages due to a major hacking in 2011 sustained by the company that created PlayStation, were not covered by its insurance policy.

New obligations that directly concern you

As entrepreneurs, business owners or corporate directors, you should find out your legal obligations governing you due to the nature of your activities or their territorial scope. To address the new reality of cyber-risks, the provincial and federal governments have enacted laws and regulations that require companies to take security and control measures seriously. These new provisions are of direct concern to you because they increase your privacy protection obligations and prescribe penalties for failure to do so.

For example, if your enterprise is governed by federal legislation or if you gather or obtain personal information as part of your interprovincial and international operations, you must comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). However, if you operate in the health sector you would be governed by Québec's Act respecting the Protection of Personal Information in the Private Sector.

Thus, it is in your interest to find out what legislation governs you and your resulting obligations, and to adopt one or more policies that enable you to comply with that legislation.

In short, although information technologies are a definite asset in running your business properly, the new reality of cyber-risks requires you to use such technologies hand-in-hand with prevention measures. Those measures will be varied, from developing an IT resources management protocol to purchasing sufficient insurance coverage. Although such measures take time and effort, they are crucial and will ultimately protect you from nasty surprises.

Our strategic internet team would be pleased to assist you and advise you on how to protect you, your computer system and your business from cyber-attacks.

Serge LeBel is part of BCF's strategic Web team that provides our client with services and legal advice regarding their on-line presence. This constantly changing environment requires the expertise of a multidisciplinary group like the BCF team.