Cyber security 2021 – Threatscape & protecting your internal business client

Henry: Okay. Good afternoon, everyone, as you login and join us. We wanted to welcome all participants and thank you for joining us today. My name is Henry Harris. My partner, Brent Arnold, is with me here in Toronto. I will do the introductions a little bit further in a moment but we're coming to you on January 21, live from Toronto, home of the 2019 NBA Champions, Toronto Raptors, where we celebrated in large crowds pre-pandemic. Wanted to acknowledge and congratulate all of our neighbours in the US on a historic and successful and peaceful inauguration held yesterday. We intentionally, humbly, held our session one day later so as not to conflict with that important US event. We are excited to be launching today our Gowling WLG Tech webinar series. This is a three-part series where we're going to be exploring emerging trends and issues relating to advising tech companies. Today's topic is cyber security, and I'll introduce that topic a little bit further in a moment, but let me first introduce myself and our firm. My name is Henry Harris. I'm a business law partner in Toronto, Canada and I serve as the leader of our California Regional Team. Gowling is a global law firm of 1,400 professionals. We're in 19 cities internationally from Canada, the UK, Europe, Asia and the Middle East. We do not have any offices in the United States, and intentionally so, because we have some very good partners and contacts that we work with the in United States. This session is being put on in conjunction with, and part of our partnership with, the Silicon Valley Association of General Counsel, SVAGC. So welcome to all SVAGC attendees. Our firm has been a proud sponsor of the annual All Hands meeting that takes place in Silicon Valley every year. Typically in November. Obviously that did not occur in 2020 but we're delighted to be working with Ross and having the opportunity to connect with this group of people who we would have otherwise enjoyed the pleasure of connecting in person. As it relates to my own practice, I am a business lawyer and in my role as leader of the California Regional Team, I have the pleasure to be working with a number of Silicon Valley tech companies. Some household names, some emerging companies and some or many of those companies are joining us for this webinar and others in the series. I would be remiss to not take care of a small bit of housekeeping and for all registrants seeking California MCLE credits, this is a reminder for this session to please visit the All Hands link, which we have just posted in the chat section of this webinar. So you should see that below. I have been told that it is necessary for you to click onto that within 15 minutes of this session starting, so that you can have your time date stamped, and I understand for many of you there's a January 31 deadline for getting your MCLE credits.

With that in hand I would like to introduce our topic for today and my partner Brent Arnold. Today's topic is on cyber security. Brent is an advocacy partner also working in Toronto and also focused on tech companies. He specializes in commercial litigation, data breach, coaching and response and data breach class actions defense, among other things. So we have a full agenda of items and information to cover on this topic. Please feel free to put your questions in at any time as Brent goes along with the session. We are likely going to defer the answering of the questions until towards the end of the session but if there is something that comes up that is timely I will politely interject with Brent and try to address it as the presentation goes on. So without further ado let's get started and let me introduce you to Brent Arnold.

Brent: Thanks a lot, Henry, and thanks to everyone for joining us. I know you've got a lot of going on this week so we appreciate you taking the time. I should start with a legal disclaimer, as I'm required to. We're not giving legal advice in this session. We're just providing legal information and if you find yourself dealing with a cyber security issue please do consult with local counsel and do it quickly. Here's where I'd like to take us today. It's the beginning of a new year and I'd like to start by laying out the cyber risk threat scape for 2021 that you and your companies will be facing. I'm going to talk a bit about the increasing complexity of compliance with privacy legislation that we expect to see heighten over the course of this year. I'm going to take you through, if you haven't had the privilege or misfortune to experience a data breach in your own company, I'm going to take you through a bit of what a data breach response looks like. I'm going to talk a bit about how law firms should be protecting their clients interests. This audience, as I understand it, is General Counsel and so your consumers of external legal services, you need to be concerned about what your lawyers are doing to protect your data, your client's data, and then we're going to talk about what you, as in-house counsel, should be worrying about when it comes to protecting your internal client. We'll end with questions and please do put the questions in the Q&A box at the bottom of your screen, not the chat, just to make sure that we catch it. I should tell you that people will see the Q&A, I believe it's anonymous, but if it's not you may want to think about what you're comfortable sharing and hypotheticals are welcome, of course. So let's get started.

What do we see looking into the crystal ball for 2021? Well what we see is, as in so many things, 2020 only more so. We're going to see continued, and for some, permanent remote deployment. We're going to see a continued expansion of the cyberattack threat surface that your IT professionals and cyber security professionals needs to worry about. We're going to see exciting and new and improved attack actors by not just criminal threat actors but also State threat actors. So let's unpack all of that a little bit more. We rushed into pandemic remote deployment across the world, and some more successfully than others, and all of us in a hurry. Even now a lot of the world is still remote deployed. As you've probably been discussing in your own organizations that dynamic isn't going to change when the pandemic leaves us and when people are allowed to go out and go around. It's been an interesting and unexpected test but what we've discovered over the course of it, and what lots of very, very large companies and tech companies have discovered, is that their employees remained unexpectedly productive during the pandemic and during remote deployment. They've realized that if they can stay as productive as they were when they were in physical buildings, they can decrease their overhead, they can potentially have smaller premises. To some extent costs passed down onto their remote workforce. The World Economic Forum published a survey of 1,200 CIOs worldwide, from a cross section of industries, and they report that 48.6%25 of the respondents reported increased productivity since remote deployment which nobody expected. Those companies are saying that it appears from the survey that remote deployment is going to increase from 16.4%25 of the workforce to 34.4%25, regardless of what happens with the pandemic. That dynamic is here to stay and the threats that are inherent to are to stay as well.

So let's talk about the threat surface. More remote workers means less supervision and control over what devices are being used and how. There's no looking over somebody's shoulder as you pass through the office to see what they're doing. You've got more company devices out in the field with less oversight than were than before. You've got risk due to hastily installed VPN for those companies that weren't really set up to do remote deployment before and one of things we saw in 2020 was a number of very clever ways of attacking the organization through improperly configured virtual private networks. We're also going to see continued problems with the bring your own device culture that has been growing over the past few years, which many companies were forced to adopt, as they weren't set up to send employees home with office phones, office laptops at the beginning of the pandemic and, of course, some organizations have always been bring your own device. So what we see in that dynamic, again with people out from under the watchful eye of IT, is that you have employees forced to use in some circumstances their own computers or tablets and phones outside of the company security umbrella. Where you've got other employees choosing to do so because they find the measures put in place to make remote work safe on enterprise devices inconvenient or they just don't like them as much as using their own devices. So you have people essentially taking work arounds that take them out from under the umbrella, the firm's security, and you can't really know unless you're on top of this whether or not those devices have virus protection, firewalls, login access controls. People using their own cell phones, maybe they don't have them set up to require a password. These kinds of problems and as people are gradually able to leave their homes but stay remote deployed we're going to see an increase in something that we've seen, well before the pandemic, which is dangers of people working in a socially distance way but outside their house in coffee shops, libraries, etcetera, using free WiFi and that's a huge security risk and not enough employees are knowledgeable enough to recognize those risks and protect against them. We're also going to see continued problems with loss and theft of hardware containing corporate data. Laptops being left in cabs was always a problem but not if everyone's remote deployed with a laptop, and suddenly allowed to leave their houses, we'll expect to see more of this. We also are going to continue to see problems with people losing smaller storage devices that are easy to lose track of. This has always been a bugaboo for privacy professionals and we'll see more of that I expect. We expect also the concern around communications to be a problem. It started with the pandemic. It's going to keep going as long as people are working from home. You've got people taking cell and Zoom calls around other people, if they have roommates or other people living in close quarters with them. You've got people leaving documents out in view of others, or screens up with emails with confidential data, up in view of others. I can tell you our firm, and many others I'm sure, have implemented a no printing policy for those who are remote deployed. Just to cut down on the risk because it's hard to enforce a clean desk policy if people are working with paper outside the office. And we're going to see hopefully less problems with the video conference platforms. In part because malicious actors continue to invade those platforms for sport or for espionage. Also, we have just user inexperience and ignorance. People not setting things with the proper security in place. We would hope that there's less of that as we've all had a 10 month learning curve now but I expect we're still going to see some problems from that. There's always the problem of physical security, and we touched on this earlier, and I know that your own government experienced a graphic example of this not long ago, in the worse case scenario. It seems not to have been as bad as we had feared, but in the worse case scenario, a laptop stolen from the Capitol in the Capitol riot being provided to the Russians, Russian Intelligence. It didn't happen but it could have. So if you're a company that sits on valuable intellectual property it's much easier for somebody to walk into one of your employee's houses than for them to get into your building. So these are the concerns that we continue to worry about which are just heightened by remote deployment.

We're going to look into the crystal ball and a few companies that are devoted to this have come up with some interesting conclusions. As I go through these briefly you'll see it's interesting there's some overlap and also some big differences in the things that various experts are expecting and fearing. We do expect that there are going to be more attacks on home computers and networks and even using home offices as criminal hubs by taking advantage of unpatched systems and architectural weaknesses. Your employee's computers could be serving some malicious purpose without them even knowing it, if it's possible for them to be accessed. The rush to move everything on the cloud has also created a lot of security holes and challenges and misconfigurations, and it's not hard to misconfigure a cloud storage system, and also outages which are hard on productivity as well as presenting a security risk. We're going to see more growth in the security industry which is good but, of course, is a product of the problem which is new products, new mergers and acquisitions, that will cause network complexity issues and integration problems and are going to overwhelm cyber teams for some time. It's such a massive time of change for all of us but it's in particular a massive time of change for your IT teams who are having to change the whole model that they work with. Privacy's going to continue to be a problem. You're going to continue to see lack of discipline around users who get fed up with following the rules. You're going to see confusion and you're going to see people start to get sloppy. We're going to see a move away from traditional passwords to identity and multi-factor authentication. This is already taking place and it's a good thing so that's some of the good news. We're going to see a lot of internet things hacked and that's been happening on a steady curve for some time now and it's going to continue. Ransomware's going to continue to get more creative and more malicious. We have already seen, and I had a clients of my own deal with this in 2020, ransomware that rather than just bricking your system and then requiring you to pay to get access to your files, steals the data before the theft is detected and then bricks your system. So you now have two issues to deal with. One, the business interruption of having your files inaccessible and two, the massive privacy risk of your data being out there and possibly sold on the dark web, which is a lot of these criminal organizations are doing using this ransomware. We're going to see 5G vulnerabilities as the new technology goes through it's initial growing pains and is rolled out. We're going to see advance persistent threats, threat attacks, and those are ones where, and they're often State sponsored because it requires a level of sophistication, threat actors invade your system and can be there for weeks or months before they actually exploit the vulnerability in the access. Imagine, and this happens, a threat actor in your data for months going through your emails, figuring out who's important, figuring out how best to scam you. And figuring out what your business is worth and your data's worth. We're going to see interesting new ways of attacking mobile devices and smart phones, including through the app stores and also, and we saw this with Solar Winds not in the mobile device realm, vendor level attacks in the supply chain where big companies relying on other companies to provide code and applications, are compromised and infiltrated. We've even seen in this past year patches and updates infected with malware, so people trying to update their systems to protect their systems were downloading viruses, undetected. Cryptocurrencies are going to play more of a role and criminals will be switching between cryptocurrencies as a way of further laundering stolen money or extorted money. And we're going to see a lot of business plans, essentially implode, as digital transformation projects continue to grow and change the way the companies do business. It's a very rapid transition that I'm sure many of you have experienced.

The folks at Symantec, who are now Broadcom, pointed out some similar concerns. One, ransomware gangs developing new tactics to force payment. New ways, again, to exploit remote workers, and this is a dynamic we're all ready seeing, close cooperation between cyber criminal groups. For instance, they are seeing cooperation now between botnet operators and ransomware authors. So you have the attack developers and the delivery mechanism developers all starting to come together and that cannot be good news.

McAfee, experts in security for a long time, are worried about an increase in supply chain backdoor techniques for attacks. Hacking into the home office again. Attacks on cloud platforms, as we saw before, that are becoming once more automated but also more handcrafted and bespoke. Numerable payment scams as mobile payment continues to become the way that we do business. QR code abuse. Same problem. And increase in social networks as workplace attack factors.

Finally, Security Magazine is concerned about increased social engineering attacks. Sort of like what we were just talking about with social media. Exposure to known, and also unknown, internet facing vulnerabilities. There are plenty of known vulnerabilities out there that are not being patched and dealt with fast enough. Sometimes it's taking months or years to address them and they're of course the ones that companies don't even know are there. We're going to see more exploitation to the system administration tools. We're going to see a continued lack of monitoring of critical systems and we're going to see more human operated ransomware on the rise. The interesting thing that we've seen over the last few years, and I was talking a bit about this with the advanced threats, is that it's not just a generic opportunistic attack where somebody clicks on a link, downloads a generic piece of ransomware and it's an automated process where they get shaken down for a few hundred dollars. These ransomwares being used, as part of a very sophisticated wave of attacks by criminals, where they're spending real time figuring out what your business is worth and what your vulnerabilities are and the ransoms are just getting higher and higher.

Compliance with your privacy law obligations is going to get more complicated too and if it's not in 2021 then it's certainly going to start in 2021. You already have the California Consumer Privacy Act which came into effect January 1, 2020, some aspects of which are retroactive as the case law is demonstrating to us. You're going to see the first wave of adjudicated cases coming out of breaches of the CCPA guidelines and attempts to stretch the application of the law and the private right to sue. That's another dynamic we already started to see in 2020. I imagine you're going to see copycat laws from other States. State legislatures love passing tough on privacy laws because it's an easy way of assuring your constituents that you're talking action. It's sort of the new tough on crime as far as legislation goes. Much harder to implement but that's a dynamic I think we can expect to see. Finally, the IAPP is expecting the Biden Administration in its first term to move towards implementing a comprehensive Federal privacy law. Now, since you probably all know that takes a very long time to pull off. Not just to pass it but even just to craft it. But I think it's likely that that will be an initiative in the first administration and that of course is going to cause a sea change with respect to American privacy law obligations and potential reporting obligations.

Let's say you're company's been hit by a cyberattack. What happens? What do you do? Your first step is to identify the nature of the breach and contain it and hopefully you have the IT staff to do that. I should pause here to say IT expertise and cyber security expertise are not at all the same thing. You really do need it if you don't have them already. People that know cyber security and they're not the same people that are installing your computers and patching your systems and dealing with day to day tech support problems. This is a specialty. You need to immediately contact, and some of this depends on what your emergency plans look like, you need to call your insurer, if you have cyber coverage, and that's really important at the outset because often your insurance policy determines who are the external vendors who are going to help see you through this. Who do you call next? They will often identify your breach coach and a breach coach, this is one thing I do, essentially acts as the crisis management person who sees you through this. Pulls together the different forces, outside the company, work on the problem and coordinate them. You need to get legal advice and most times your breach coach is an external counsel. You need to get in the data forensics people right away and they've got a few jobs. They need to contain the breach, figure out what happened, tell you how to stop it from happening again and make sure that the evidence is preserved in case there are proceedings arising out of it. As we just said now, that's the second step, investigate. As part of this you need to determine who's affected because, of course you've got privacy law reporting obligations depending on the nature of the data, and you need to determine what your potential exposure is. From there you need a strategy in place to notify the people who are affected and report it to the regulators. I've put in here, is there is a real risk of significant harm? That's the language from the Canadian Federal statute but it's a principle that you see in most privacy laws. If there's a real risk that somebody's going to suffer harm, and harm is very broadly defined, it includes economic harm, reputational, a lot of things. You've got a reporting obligation. You need to let them know and you need to apply to your applicable regulators. From there the remediation effort starts. You have to look after the people who were affected, and I should say this usually includes credit monitoring that you offer to them and that you pay for, and this is for people whose data was affected. That's become table stakes. It's no longer just a good gesture. It's what is expected by courts and by regulators now, increasingly. You need to plug the holes in your cyber security systems and your data systems. All of this matters because, we'll see this in a moment, but it all matters because the goal here is to first of all solve the problem and get your business back up and running and make sure you protect your clients and customers and other people who are affected by it. But second of all you need to be seen to do all that because if there's litigation arising out of this, or if a regulator takes interest in the case, you need to be able to show that you behaved like a responsible corporate citizen and that's what that looks like. One thing to keep in mind as you're going through this cycle is don't lose track of your contractual obligations when it comes to reporting an incident like this. Often large companies have contracts in place with large vendors and some of these are very key contracts like, let's say, your payments provider that oblige you to let them know when there's a data breach incident. The obligation can be more stringent than your reporting obligations under your State and Federal laws. It can be as broad as if there is a breach you must report it regardless of whether there's actually any harm arising from it. They may require you to report immediately or within a 24, 48, 72 hour window which in many States is a shorter window of time than you would be required to report to the regulator. You can miss this and then you're in breach of some potentially very important contracts. It's also a public relations disaster in dealing with your clients and others affected. So if you haven't been tracking your contractual obligations for this sort of thing you should do that now. I had a client last year who realized as the breach happened that they hadn't done anything about keeping track of these obligations and we had to spring into action and review hundreds of contracts to figure out who they needed to tell what to and often they're different. So the tracking of all of this is very important. You have to stay on top of it.

The lessons learned, in continuous improvement, is what happens after a breach and after you've plugged the holes. You remediate the security deficiencies. You document the changes and improvements made. You update your incident response plan and policies as required. As I said before, the key here to show the courts that you've improved. You've identified the problem and it won't happen again.

So I want to talk a bit about your external law firm service providers and why you need to be worried about them looking after your data. They're a prime target, as you know, in the same way that companies that hold high value intellectual property or information are targets, the law firms that do their patent work or deal with their litigation or deal with their corporate matters have access to a lot of this as well and the criminals and State actors know that. We saw this one international firm 3 years ago with DLA Piper. It was hit by the NotPetya ransomware attack. It's a global law firm that at that point was 4,000 lawyers. They had to shut the whole firm down in 20 minutes and it took a week to resume operations. That's a very long time for a professional services firm or any business to be out of commission, as you can imagine. The financial loss was estimated to be in the millions. I should say they're not unique in being attacked. All of the large firms, and even the mid-size ones and small ones, are targets and in fact we've seen in the last few years mid-size and small firms be a particularly ripe target because they don't have the infrastructure in place that a large firm does or the contracts with external vendors to protect them. They're often sort of firms that have one IT person who's also in charge of cyber security and not much of a budget and not very sophisticated owners. So they are, again, prime targets. I'm not saying that's the case with the firm that I'm about to mention but it is with some firms that I've seen. But another example of a law firm being targeted, Grubman Shire, is a New York based entertainment firm. It represented Drake and Lady Gaga and Bruce Springsteen. They were hacked by one of those strains of ransomware I was talking about before. The kind that steals your data before they make the demand. They leaked contracts and telephone numbers, email IDs and the solicitor/client privileged communications just to show that they were serious about the ransom. This is something you'll see some of these threat actors do. They will leak some of the data. They'll send it to you or they'll put it on the web just to show that they actually do have it.

So what should you be expecting your law firms to do? They should be improving their cyber security posture and it's no different from what companies need to do. They need to increase their cyber awareness generally, at all levels of the organization. They need to improve security awareness and culture. They need to increase their security budget. The recommendation I often see, and I agree with, is your security budget shouldn't be part of your IT budget because when it's the same budget, and often the same people, the people and the funds are torn between two different imperatives. One is keeping users happy. Giving them the latest tech. Giving them the apps that they want and satisfying the internal client in that way. That's a very different imperative from cyber security because people can understand a new laptop and they understand the bells and whistles and the applications they get. They see that immediately and they appreciate it. Cyber security is the opposite. Cyber security is like good State intelligence. If it's working well you never hear about it and you never see any good results. The only way you know that it's not being done right is when you have an attack that succeeds. So it's hard sometimes to make the business case for why more money needs to be spent on cyber and, as I said, it's best to keep these things coming out of a different pot of money than what's coming out for IT. I was speaking at a conference a few years ago and somebody asked me what should I spend the money on? Another person to work in my IT department to help with this or insurance? As a lawyer I say you have to do both and it's the same for cyber security. You have to find the money to meet the minimum requirements for both of these aspects to the business and the percentage that you spend on cyber security is going to keep going up. That's a reality we all need to get used to. You need to make sure that they're encrypting their data and that they're practicing secure file sharing. My firm, and many others, use a particular file sharing service that works like Dropbox but is end to end encrypted and is the choice of law firms and other organizations that are handling highly sensitive data. So make sure that they're not just using a cheap off the shelf solution but they're using one that's truly secure. They need to be using two factor authentication. As we saw with the break into Capitol Hill. We had computers in there that weren't even, in some instances, password protected and people could log onto the systems easily. You can't assume that, particularly in a remote deployment scenario, there aren't going to be people just walking up to a computer and fiddling with it. So your law firms need to be serious about implementing two or multi-factor authentication and it should be investing in intelligent IT systems and this is the same for companies. Frankly, it's not enough to just have firewalls and virus protection. You need to have a way of actually monitoring what's happening in your systems. Often the way that a breach is detected is that something odd happens. It's not that your cyber security measures will alert you. It's that there are odd patterns in what's happening with your data. Large volumes of data being downloaded or moving around in the system. Things that just don't look right even though they don't scream virus. That requires a different level of software and sophistication to catch those things.

Some of this is going to be the same but let's talk about what you need to be doing in your own companies. As GC's this isn't, I appreciate fully on your desk, but I imagine many of you are also doubling as compliance officers or as privacy officers or at least working hand in glove with those people. You need to be part of this solution as well. You need to make sure that employees are aware of, and actually following, corporate policies around data security. Following is where the devil's in the details. Too many organizations treat compliance as a sort of tick the box exercise. Yes, we have policies. Yes, we have an incident response plan. Yes, we have physical security. But if the employees don't know about it they're not going to follow it. If they're not following it and it's not being enforced you're at risk. And again, courts and regulators now have gone beyond just asking if you have this, they are asking are they being trained? How often are they being trained? How often are you doing tabletop exercises to see whether or not your plans and policies actually work? Do your plans and policies mention people in key roles who aren't at your company anymore because you haven't updated them in year? These are the kinds of problems that you can run into. If you don't have policies and an incident response plan in place, get them, because these are now table stakes. When a case gets to a regulator or to a court, and for a large sophisticated entity the amount of time where it would be an excuse to say these are new threats and we didn't know about them or we weren't as aware as we might have been, has run out because now it's expected. Particularly with all the guidance coming from government. It's expected the companies will know about these things and plan for them. As I said before, make sure that incident response plan, and the incident response plan if you haven't been involved with one before, deals with everything from who's the first phone call to what do we do next and how do we see this all through. Who are the external vendors we call in? Who do we report to internally? What do we do first of all? Do we turn off all the servers or do we not turn them off because then it's harder to diagnose and shutdown the breach? So it contains a mixture of technical and logistical and business imperatives all in one place. Again, if it's not up to date you've got a problem. Most incident response plans that I saw as of 3 years ago would say is the first step, get everybody who's key into one room. How are you going to do that if they're remote deployed? Do you have cell phone numbers for all these people or were you just assuming they'd be in the office when the breach happened? So if you haven't updated your plan pre-COVID update it now and make sure it's capable of remote implementation because, again, many of the measures and many of the risks that your incident plan may have been geared to deal with a few years ago are not going to deal with this new reality that we're seeing now. Again, if you don't have an incident response plan now is the time to do it and engage external professionals to do it. Don't rely on things you just find off of the web. Most of the good plans you will pay money for. You're not going to just find them off the shelf like a Will kit. Again, you need to remind your employees about their cyber risk and data protection training, especially in this remote environment. If the training doesn't deal with the reality of remote work, it should. There are a lot of good external providers who do this sort of training, or can develop it for your company, and often it's as easy as just a click through program not unlike sort of a game where they have to go in and answer questions. There should be testing to see whether or not employees are clicking on links and emails that they shouldn't be clicking on. So you need to make sure that they're trained regularly. Make sure that they remember it still counts when you're not in the office and you need to be testing to make sure that they are actually following the imperatives of the training and the policies. Once again, if you haven't trained your employees, and I'm not just talking here about the executives and the people who are used to working remotely because the road warriors mostly know all these things, the real risk are the people that have always had a 9 to 5 job in your building, in your office, and when they leave at 5 their work day is done. They only use corporate devices. That's not the reality that many of them are working in now so they're understanding of what they need to be cyber secure doesn't include what if I'm using my phone? What if I'm using my home WiFi? Is all of that secured? The training needs to take account of these and also your policies obviously need to take account of all of it too. Again, you need to closely monitor transactions. One of the things we saw at the beginning of the pandemic was lots of companies whose business model, in terms of how the company worked, was everyone in the building relied on wet signatures on paper to approve transactions, face to face. You'd go to the person who is supposed to approve. You see that it's them. You watch them sign it. You take it back. That's a very good secure way of making sure that your transactions policies are followed. Very difficult to do that, impossible in fact, if you're remote deployed. So now you have people sending emails to people to say will you approve this? How do they know that those emails haven't been intercepted and somebody else is responding to them? They may have phone call approval. If this person doesn't work regularly with the person that is supposed to be approving these things are they going to recognize their voice on a phone? So you need to make sure that your internal processes, if you haven't updated them to accommodate this remote work scenario, do that now. And again, make sure that people aren't finding workarounds or ways around the procedures just because they may be cumbersome, because even before the pandemic it was not uncommon we would see people with systems hacked into. The threat actors sit in their systems for weeks or months, figure out who's in charge, figure out how they write, figure out what the processes are and then start sending fake emails saying transfer this amount to this person or to this part of the department and they know that there's no other authority required to carry that out with the amount that they're asking for. So these were problems before people were remote deployed and couldn't speak to each other person to person. So you need to stay on top of that to make sure that you're basic business processes accommodate this and work in a way that's safe.

Other things that should be being done, and this is where you work with IT or CIO and CISO, partitioning to keep corporate information separate from personal information. Limit of retention. Every privacy statute virtually requires that you limit how much data you take in from people that would fall within privacy regulations. You don't keep it for longer than you need to know and you don't use it for purposes that it's not intended for at the time of collection. So again, here you need to be careful about your employees accessing this data on personal devices and that they shouldn't be storing it on their own devices as well. You want to limit access, to the extent possible without interfering unduly with your business processes, if a person doesn't need to have access to something, they shouldn't have access to something. It takes a long time to sort this out in a big organization but it's crucially important. You need to be encrypting devices, and limiting the kinds of devices that you allow people to use, if they're using their own devices. Obviously, and this seems so basic but it so often gets ignored and not followed, up to date anti-virus software and patches. Patch, patch, patch. Most of the vulnerabilities that we see being exploited in cyber attacks are known vulnerabilities, for which the software providers have already provided a fix, but they haven't been downloaded and implemented because of course it annoys people when their computer slows down because of patches being installed. Do it anyway. You need to have appropriate authentication controls in place, obviously. You need to, again, we're moving beyond the password. We're at least two factor authentication and we're moving into multi-factor authentication. Biometrics and so on. Equip your employees, we're almost done the list, I promise, equip your employees with enterprised owned and protected devices to the extent that you can afford that. Use safe remote access. VPN is a good option but there are others and make sure that they're properly configured. If you don't have the internal expertise to do this right bring in external experts to make sure it's done right. Again, encourage employees to properly protect their own devices and don't let them use devices that aren't protected. That's very difficult to implement in this environment but there are ways to do it. Allow for remote updates and patching, again, regularly and don't make it easy for employees to work around this or stop it from happening. You really want to reduce the use of paper which helps you reduce the accidental loss of data in hardcopy because, again, not all data breaches are cyber breaches. Sometimes they're people barging in as we saw early this month. Make sure, to the extent that you can police this that your employees, if they're working remotely or only working from home and that they're observing clean desk, or for that matter, clean kitchen table policies. Unless they live alone, I guess, but it's still just good cyber hygiene to be putting away whatever paper they working with. Preferably they're not working with paper. Locking their computer when they're walking away from it and so on.

Happy to take questions now. I see a few have come up in the Q&A and I should say I'm going to put my bio at the back with my email address and my phone number. I'm always happy to talk to people offline about this as well. If you think of a question later feel free to reach out.

Henry: Let me just jump in because there are a few questions that I have come in online and otherwise. So I'll just filter and moderate those questions. Personally, that was great. Lots of information. Great. Very helpful. We certainly have had our 15 minutes for questions. Some have come in and feel free for our guests to add your questions. As I understand they're coming in anonymously so grammar and punctuation will not be graded. No question is a bad question and before we jump into that I just want to mention as well, I indicated at the onset that this is part of a three session series at Gowling WLG webinar series. The other two sessions are occurring next week. Next Tuesday, same time, this team is addressing the topic of cross border and international data privacy issues. Then next Thursday our UK partners are presenting on IP law and strategy for artificial intelligence with a European element or perspective to it. So hopefully most of you attending received or have visibility to the full series that we're offering. If you didn't get your invitation, or joined us in a different manner such that you don't have the information for next week's session, feel free to email us or to reach out or otherwise ask and we'll be happy to get that information for you. We think, certainly the second session, logically covers some of the issues that we're talking about today and would be delighted to have you back with us. So if we jump into the questions, Brent, one question that you had the slide with the Nancy Pelosi laptop and the risk of it being sold to the Russians, the question that came up is how worried should companies be about State actor threats such as Russia or China or North Korea?

Brent: That's a good question. The short answer is very. The kinds of threats that we see, the kind of activity, there's a bit of a spectrum. We see State actors acting because they are trying to destabilize foreign governments or foreign economies. That would be Russia as we've seen with the last two elections and the rampant election interference, and also it appears the Solar Winds attack which disrupted not just government agencies but probably potentially thousands of private companies all of whom were using the Solar Wind software. Other threats include North Korea who again focus largely on destabilizing foreign regimes and companies. But also sort of carrying out kind of personal attacks. It's interesting. You remember the attack on Sony where Sony was to release a movie that was in a satirical way critical of North Korea and they hacked and doxxed Sony just because they were making, as it happens, a not very funny movie about them. Then the other end of the spectrum you've got China which certainly has some interest in disrupting foreign economies but its main focus seems to have been, and of course as many as you will know in the Chinese culture and economy, the division between the State and, frankly, the Armed Forces and private industry is a much smaller line than it is in North America, for instance. So you have State sponsored and State carried out cyber attacks with the express intention of stealing intellectual property which then funnels its way back into Chinese companies to give them competitive advantages. So the lesson there, it's not just a threat against the government. These countries are very interested in your technology and very interested in your intellectual property and your business processes. The attacks can affect you, not just in the form of a text directed to you specifically, but ones that just sort of find there way into your digital water supply as some application that's been compromised that attacks sort of indiscriminately. Any entity that's downloaded the software. It's a real problem and we'll see what happens over the next four years. We know that, for instance, the US Federal government's capacity to respond to cyber security incidents was greatly reduced under the last Administration. It's going to be heightened again under this Administration and there've been some key appointments made by the Biden Administration that give me a lot of comfort because it shows that the government is taking this threat seriously from before day one. So your government is working hard on this. It's going to take a while to get back to the posture you'd want to see it at and, if it gives you any comfort, the US military also has offensive cyber security capabilities that they've been exercising for some time now. So it's going to be interesting to see how that sort of cold war continues.

Henry: Okay. That's great. Thank you. That answered my topical and concerning but good to flush it out. Here's a practical question. You talked in the insurance context about the importance for reporting and ensuring that you're doing that correctly. Someone asks how confident should I be that cyber insurance will protect my company?

Brent: The answer to that is not very but buy it anyway. Here's why. I should say the States is much farther ahead than a lot of other countries, including Canada, in terms of uptake. The market for cyber insurance, you were first to market ahead of a lot of other countries and the uptake by industry came earlier and a greater extent in the US than a lot of other countries which is great. But, that said, it's still in the early days on this kind of coverage and so what we saw at the beginning was a lot of insurance products on the market where the companies are putting them out, without the kind of actuarial data you have for flood and fire, because it's a new threat. So they weren't sure how to price the policies. They weren't sure what their exposure was going to be under the policies but that typically leads to is broadly worded policies with broadly worded exceptions so that insurance companies have a way of wiggling out of coverage. So the litigation that we're going to see, most litigation in the courts, private and civil litigation, is financed by insurance companies anyway but a lot of the litigation we're going to see is going to be geared towards figuring out what those policies actually mean and what they actually cover. You may well find that you have a breach. You end up making a claim on it. The claim is denied and the court determines that it doesn't cover exactly the scenario that you were dealing with in this case. But all that said, and it's easy to be cynical about these things, you still need to have it. You need to have it if only because one of the first things a judge is going to ask, in assessing a case and trying to determine whether or not your company was negligent, having been breached. To step back, the fact that a breach occurs doesn't mean that there is fault on the part of the company. It's not at all uncommon for companies to win law suits on the basis that yes, we were hacked. Yes, we had taken all the reasonable precautions we could be expected to, but we were up against a very sophisticated entity that worked very hard to hack our systems. So a good defense in a cyber security case is diligence. Do what was reasonably expected. One of the things that the courts expect now, and its table stakes, is that you have cyber insurance coverage.

Henry: Yeah. No, absolutely. In the M&A or corporate finance context, certainly when the underwriters are kicking their tires and doing due diligence, that's on their list to ensure that adequate insurance is in place, notwithstanding your comment that the utility as it may ultimately be questionable. It's a check the box exercise. Another question that's come in and you certainly had one slide and a series of slides that talked about variety of different measures that companies could do to improve their cyber security. But a question has come in as to what, in your view, would be the single most important investment that a company could make to improve its cyber security? Or maybe to put to in another way, where do you start if you have to pick one?

Brent: You start with the very basic kind of technical protection that you would expect. That you would have in your own home. Right? Firewalls, virus protection, that sort of a thing and people that know how to operate it. Or, if you're working in a managed service environment, you can farm all this out to big sophisticated entities, if your a smaller entity, take a lot of this off of your plate but make sure that you've got basic measures in place and people who understand them. So that's where you start because on day one if you don't have these things in place you're going to get attacked. Someone will click on something. From there it's an exercise in determining the business risk and cyber risk is ultimately a business risk. The risk of how much do I spend on cyber. At what point does it become more than my company can afford versus the risk that you take on by not having Cadillac solutions in place. So all that requires a lot of thought by management and management needs to understand these risks. I would say though that the biggest investment, and this isn't an investment you make exclusively, you still have to do the technical things, you still have to have the technical things in place, but the best way to keep your company safe is to make sure your employees understand the threat, understand the issues and are practicing good cyber hygiene because your biggest threat vector, your biggest risk are your employees. It's 99.9%25 of the time, not that they're malicious or bad people, it's just that they don't know what to look for and they step in it. They click on a link they shouldn't. We saw a lot of this in the COVID era because we had a lot of people working from home. In some cases not getting a whole lot of messaging from their employers or anyone else because nobody really knew much at the beginning. They're spending a lot of time online looking for articles, looking for information about the pandemic. A lot of these sources that they turn to were fake sources that downloaded malicious malware, tricked them into doing things that they shouldn't be doing and so on. Wherever there's anxiety there's going to be an opportunity that hackers can exploit. So I would say the single biggest thing to worry about is your employees and making sure that they are acting appropriately.

Henry: Yeah. That's certainly a point that you made and amplified with the pandemic. Instead of everyone being centralized, although people were certainly working remote previously, we have precedented circumstance where everyone is working remote and that just creates a heightened concern and all the more need to be clearly communicating the policies and procedures on cyber security with your employment base. With your workers. That is great. Those were some excellent questions. I thank everyone for putting those in. We are doing actually really well on time. We have 3 minutes left. If there were any further questions we will just hang on for a moment. We don't want to cut anyone off and not give them an opportunity to ask the questions. Of course, to the extent that your questions span beyond this hour of presentation, we would be very willing and amenable to answering questions offline by email, phone call, Zoom meeting, whatever would work best. So for the attendees do not hesitate to reach out to us and not seeing any further questions. We are almost at exactly the top of the hour. So, Brent, fine job on managing the time with the presentation. I will take this opportunity, once again, to thank everyone for taking the time to join us. I'm hoping that you found the presentation to be informative and, as mentioned, we have the other two sessions of this series taking place next week. Next Tuesday and then Thursday, same time as today's session, on data privacy Tuesday and IP law and artificial intelligence from a European perspective next Thursday with our London, UK colleagues. So, if there is nothing further, on behalf of Brent Arnold and myself, Henry Harris, and our entire Gowling WLG global tech team, we thank you once again for joining us and have a good day and we will end the session now.

Brent: Thanks, Henry and thanks everyone.

Henry: Bye-bye.