Ontario’s privacy commissioner recommends businesses should consider an insurance policy that will cover first-party costs of responding to a ransomware attack.
“Consider obtaining a cyber insurance policy that offsets the costs associated with responding to an incident such as forensic investigations, legal fees, data recovery services, and financial fraud,” the office notes in a 13-page ‘Technology Fact Sheet,’ updated from October 2022.
Twenty-four per cent of Canadian businesses fell victim to a successful ransomware attack over the past year, up from 17% over the same period last year, according to the detailed fact sheet, entitled How to Protect Against Ransomware. That August 2022 data comes from the Canadian Internet Registration.
One-quarter of Canadian businesses reported the ransomware attack led to reputational damage with their customers and/or their suppliers.
In addition to considering cyber insurance, the privacy commissioner says a company should create a risk management plan to reduce the number of entry points for cyberhackers to enter the organization’s IT system — including through third parties connected to the company’s supply chain.
“Put in place a risk management program that establishes requirements for regular security assessments of both in-house IT systems and third-party service providers,” the fact sheet states. “This can include vulnerability scans, penetration tests, threat/risk assessments, and privacy impact assessments.”
To ensure accountability, the privacy commissioner suggests businesses establish a “privacy and security governance committee consisting of senior executives responsible for information technology, legal services, access, and privacy.”
The commissioner also calls for detailed accounting of the data and information the business stores. A company should audit its business records to find out what data it has, the sensitivity of its various records, and then determine the level of safeguards required to protect the information.
“Taking reasonable steps to protect information from ransomware attacks requires a clear understanding of your organization’s information holdings,” the fact sheet states. “This includes maintaining records of the sensitivity, volume, and nature of your organization’s various information holdings.
“You should document where your information is stored. This applies to cloud computing environments as well as other service providers who process information on behalf of your organization.
“Your organization should:
Maintain an asset inventory that tracks where and how information flows through your organization, such as IT systems (servers, workstations, mobile devices) connected to your organization’s network, what information is stored in those systems, program areas accountable for the information stored in those systems, hardware and software version information, and contact information for responsible IT administrators.
Classify and label information and IT assets according to sensitivity (the level of harm that could result from a loss of confidentiality, integrity, or availability of this information). Put in place safeguards proportionate to sensitivity classification levels.”