Three key issues from the Ontario cyber security Expert Panel report

On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.

His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”

Those recommendations are:

Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.

Here are three issues of significance to public sector instutions and their insurers.

FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”

Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.

As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.

SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”

This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.

THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:

Ontario should investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery to which all BPS organizations can subscribe.

There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.

The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).

Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.

Good quotes on the impossibility of “ensuring” security and achieving zero risk

I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.

I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:

I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately. Try as they might, it is impossible for anyone to absolutely guarantee information security. All that anyone can do in that respect is the best they can. There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer. More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.

In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed. But to be perfect the world would have to be populated by perfect human beings.

This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!

It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:

That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.

Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.

Cyber insurance and incident response practice

Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector. It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.