Cybersecurity Archives - IPOsgoode /osgoode/iposgoode/category/cybersecurity/ An Authoritive Leader in IP Fri, 15 May 2026 21:02:23 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Fit for Deployment? Why AI Red Teams Need More Lawyers /osgoode/iposgoode/2026/05/13/fit-for-deployment-why-ai-red-teams-need-more-lawyers/ Wed, 13 May 2026 22:06:48 +0000 /osgoode/iposgoode/?p=41245 red teaming that excludes legal expertise is red teaming that leaves the courtroom door unguarded. In my own journey from legal academic to participant in AI safety exercises, I have learned that, sometimes, the most valuable insights emerge from disciplinary friction

The post Fit for Deployment? Why AI Red Teams Need More Lawyers appeared first on IPOsgoode.

]]>
By Jake Okechukwu Effoduh, Assistant Professor, Lincoln Alexander School of Law, Toronto Metropolitan University


In the summer of 2023, I found myself in a room with security researchers, ethicists, and engineers, tasked with a peculiar assignment: make an advanced AI system fail. Our objective was to probe a large language model for vulnerabilities, to elicit harmful outputs, expose hidden biases, and stress-test the guardrails its creators had painstakingly constructed. This practice, known as , has become the crucible through which responsible AI developers assess whether their systems are fit for public deployment.

Although I am not a computer scientist, my work as a law professor and legal scholar has long engaged with the capacity of legal frameworks to respond to technological disruption. In that room, surrounded by experts who could articulate attention mechanisms and tokenisation with casual fluency, it was evident that I had as much to learn as I had to offer. At the same time, the exchange highlighted that legal training contributes a distinct and necessary perspective. Lawyers are trained to identify risk, anticipate misuse, evaluate harm, and analyze the real-world consequences that may flow from algorithmic failures. The experience therefore underscored a broader insight, one that the AI industry has perhaps been slow to recognise: that effective red teaming exercises need more lawyers.

The Evolution of Adversarial Testing

Red teaming traces its lineage to Cold War military strategy, where designated adversaries (the “red team”) would simulate enemy attacks to expose defensive weaknesses. The practice migrated to in the 1990s, where penetration testers probed corporate networks before malicious hackers could. When applied to AI systems, red teaming evolved from what hobbyists once called “jailbreaking” (the sport of coaxing chatbots into misbehaviour) into a endorsed by governments and embedded in emerging regulatory frameworks.

Today, AI red teams attempt to elicit dangerous capabilities: the generation of misinformation, the production of discriminatory content, the leakage of private training data, or the provision of instructions for genuine harm. The widely discussed and the , both identify adversarial testing as essential to responsible development. Major AI labs now routinely engage external experts to probe their systems before release, a practice that has become standard (even obligatory) in the field.

Yet red teaming is not without limitations. Exercises are necessarily time-bound; testers cannot anticipate every deployment context or user intention. Findings do not always translate into engineering solutions. And crucially, red teams often lack the interdisciplinary breadth necessary to identify the full spectrum of potential harms. A team composed primarily of computer scientists and ethicists will see certain vulnerabilities clearly and remain blind to others entirely.

What Legal Eyes See

During our red team exercise, while my colleagues focused generally on whether a model would generate violent content or produce biased outputs, my attention gravitated toward a different set of questions. When the model confidently asserted false statements about a living person, I immediately thought of : the constituent elements of the tort, variations across jurisdictions, and the practical difficulty of establishing fault when the “speaker” is an algorithmic system. Similarly, when we successfully extracted fragments of what appeared to be training data, my focus shifted to data protection law, in particular the , and the question of whether such extraction might amount to a violation of data protection obligations.

These were not simple peripheral concerns. They were legally cognisable harms, with potential implications for regulatory scrutiny, reputational damage, and liability exposure. Yet without legal expertise in the room, they might have been catalogued simply as “problematic outputs” rather than understood in their full juridical dimension. This experience thus illuminated why lawyers should be integral members of red teams, not as afterthoughts or compliance consultants, but as core participants in the adversarial imagination that safety testing demands.

Five Reasons to Invite Lawyers to Break Your AI

  1. Lawyers understand harm with juridical precision

To begin with, legal training brings a distinctive precision to the identification and classification of harm. The law does not treat all harms equally. Defamation, discrimination, privacy violations, and intellectual property infringement each carry specific definitions, evidentiary burdens, and remedial consequences. When a model produces troubling outputs, lawyers can distinguish between the merely objectionable and the actionable, a distinction that fundamentally shapes risk assessment and mitigation priorities. The in the United States illustrates how model failures can rapidly become legal crises.

2. Privacy law requires specialised fluency

A related consideration arises in the domain of privacy, where legal analysis demands specialised fluency. The global patchwork of data protection regimes, the in Europe, the in California, , , and Kenya’s , have created intricate and sometimes contradictory obligations. When red teamers probe for memorization of personal data or attempt to extract training data, lawyers are equipped to assess whether such vulnerabilities implicate specific regulatory requirements and to anticipate how data protection authorities may respond.

3. Lawyers are professionally trained in adversarial reasoning

Equally important is the legal profession’s grounding in adversarial reasoning. The courtroom is, in essence, an institutionalised red team: opposing counsel systematically probes weaknesses in argument, inconsistencies in evidence, and ambiguities in position. This mode of reasoning cultivates a particular cognitive disposition-the habit of thinking from the perspective of an adversary-that translates directly to the work of identifying how malicious actors might exploit AI vulnerabilities. Lawyers are trained, quite literally, to find the holes and the points of failure

4. Legal expertise enables regulatory foresight

The AI governance landscape is shifting rapidly. The imposes binding obligations on high-risk systems. Numerous . Countries across Africa, from to , have developed national AI strategies. Lawyers can stress-test systems against forthcoming requirements, helping developers prepare for regulatory futures rather than merely react to regulatory presents.

5. Lawyers navigate cross-jurisdictional complexity with native facility

A model deployed globally must contend with the legal frameworks of dozens of jurisdictions simultaneously. What constitutes prohibited hate speech in differs from what triggers liability in the United States, which differs again from prohibitions in or . Lawyers versed in comparative and international law can map how a single model output might cascade into disparate legal consequences across borders, a complexity that homogeneous technical teams are ill-equipped to navigate.

An Invitation and an Imperative

To fellow lawyers who have watched the AI revolution from the side lines, uncertain whether our expertise has purchase in this domain: the answer is that it does. The skills we have cultivated through legal training (close reading, adversarial thinking, the anticipation of misuse, the parsing of ambiguity) are precisely what red teaming demands. I don’t think we need to fully understand the mathematics of transformer architectures to recognise that a model’s confident fabrications might constitute negligent misrepresentation, or that its profiling capabilities might violate privacy law or raise constitutional questions under . Legal analysis operates at the level of consequences, responsibility, and rights, precisely where many AI risks ultimately materialise.

To AI developers and safety organisations: we need diversified red teams. The homogeneity that characterises many current exercises (dominated by security researchers and machine learning engineers) leaves some critical vulnerabilities unexamined. Legal scholars, practising attorneys, and even law students possess perspectives that will reveal risks invisible to those who share similar training and assumptions.

The stakes warrant this expansion. As AI systems assume greater roles in consequential domains (employment, credit, criminal justice, healthcare, content moderation), the potential for legally significant harm multiplies. I think that red teaming that excludes legal expertise is red teaming that leaves the courtroom door unguarded. In my own journey from legal academic to participant in AI safety exercises, I have learned that, sometimes, the most valuable insights emerge from disciplinary friction. Questions that may initially appear naive to engineers can illuminate genuine legal and societal risks. This is why we need more of that productive dissonance. We need more lawyers willing to tackle the machines.


is a Vanier Scholar and Ph.D. candidate at Osgoode Hall Law School, examining ways that the legitimization of AI is impacting the pursuit and realization of human rights in Africa.

The post Fit for Deployment? Why AI Red Teams Need More Lawyers appeared first on IPOsgoode.

]]>
44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity /osgoode/iposgoode/2022/11/21/44th-global-privacy-assembly-leads-to-resolutions-on-facial-recognition-technology-and-cybersecurity/ Mon, 21 Nov 2022 17:00:35 +0000 https://www.iposgoode.ca/?p=40273 The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on November 16, 2022.


On October 28, 2022, the Office of the Privacy Commissioner of Canada (the OPC)that data protection authorities around the world endorsed resolutions on facial recognition technology (FRT) and cybersecurity at the 44th Global Privacy Assembly (GPA) in Istanbul, Türkiye.

The GPA is an international forum where data protection and privacy authorities from more than 130 countries meet to discuss privacy matters of interest and coordinate efforts on an international scale. The theme of the public portion of the event was, “A matter of balance – Privacy in the era of rapid technological advancement”.

During the conference, the GPA members adopted a resolution on the use of, which outlined a series of principles and expectations that they would promote to external stakeholders, assess the real-world application therein, and report back on. These principles require an organization to do the following:

  1. Lawful basis: have a lawful basis for collecting and using biometrics;
  2. Reasonableness, necessity and proportionality:demonstrate the reasonableness, necessity, and proportionality of their use of FRT;
  3. Protection of human rights:assess and protect against unlawful interference with privacy and other human rights;
  4. Transparency:ensure that the use of FRT is transparent to affected individuals and groups;
  5. Accountability:include clear and effective accountability mechanisms for the use of FRT; and
  6. Data protection principles:ensure that FRT is used in a way that respects all data protection principles.

The GPA also saw the adoption of afor international cooperation in improving cybersecurity regulation and understanding the harms that results from cyber incidents. As part of this resolution, the endorsing GPA members would take steps to understand the responsibilities of data protection authorities regarding cybersecurity, and explore possibilities for international cooperation amongst members to avoid duplication in investigations and other regulatory activities.

The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>
OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management /osgoode/iposgoode/2022/08/15/osfi-releases-final-version-of-guideline-b-13-technology-and-cyber-risk-management/ Mon, 15 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39894 The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on July 27, 2022.


On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI)its final Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), which describes OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks.

OSFI views the large increase of cyber incidents in Canada as an urgent call for FRFIs to bolster their technology and cyber risk management practices. Guideline B-13 is OSFI’s answer to this call and provides a flexible, principle-based regulatory framework for FRFIs to strengthen their cybersecurity posture with strategies that account for their size, nature, scope, and complexity.

Guideline B-13 is the final result of an extensive consultation process that started in September 2020 and included an initial draft Guideline B-13 in November 2021, as previously reported by the E-TIPS® NewsletterԻ. The final Guideline B-13 takes a more streamlined approach than the previous iteration and is organized around three “domains” as opposed to the first draft’s five-domain structure. Each domain sets out specific outcomes for FRFIs to achieve in order to align with OSFI’s expectations:

  1. Governance and Risk Management: Technology and cyber risks should be governed by clear accountabilities and structures, and comprehensive strategies and framework.
  2. Technology Operations and Resilience: The FRFI has a technology environment that is stable, scalable, and resilient. The environment should remain current and supported by technology operating and recovery processes that are “robust and sustainable”.
  3. Cyber Security: Guideline B-13 requires the FRFI to implement a technology posture that maintains the confidentiality, integrity, and availability of its technology assets.

Guideline B-13 is set to come into effect on January 1, 2024, which gives FRFIs time to review the framework and ensure that they meet compliance.

The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>
Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector /osgoode/iposgoode/2022/08/11/bill-c-27-canada-introduced-its-first-legislation-on-the-development-and-use-of-artificial-intelligence-in-the-private-sector/ Thu, 11 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39902 The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>

HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.


On June 16, 2022, the Canadian government tabled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.” The Bill aims to strengthen the privacy framework for the private sector in Canada through the enactment of three pieces of legislation—the Digital Charter Implementation Act (DICA), the Consumer Privacy Protection Act (CPPA), and the Artificial Intelligence and Data Act (AIDA).

Bill C-27 is the successor to the, the Digital Charter Implementation Act, which was introduced in November 2020. Unfortunately, it got at the Second Reading stage despite strong support from the business community. Bill C-27 is largely a re-working of Bill C-11, as a significant portion of the Digital Charter Implementation Act (DICA) and the Consumer Privacy Protection Act (CPPA) remains intact. A detailed comparison between the two bills can be found .

An entirely new section of Bill C-27 is the Artificial Intelligence and Data Act (AIDA). This section aims to regulate the development and use of artificial intelligence systems in the private sector. If AIDA is enacted, Canada would be the only jurisdiction, besides the , to draft legislation that directly addresses the regulation of AI.

AIDA is very broad in scope, with respect to both the definition of AI and the range of people obliged to abide by the Act. It does not set out specific prohibited practices and seems to contemplate a distinction only between high-risk systems and all other AI systems. Compared to EU’s 2021 proposal for Artificial Intelligence Act, AIDA is “considerably less elaborate” and “proposes to leave many salient matters to regulation,” according to cybersecurity professionals at .

The legislative purposes of AIDA are, per s. 39.4:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

AIDA aims to protect people from any potential harm brought by biased AI output, which is the output of AI systems that differentiate people based on prohibited grounds of discrimination.

AI systems identified as “high-impact” will undergo mitigation measures and ongoing monitoring for compliance. Despite the preliminary guidance from the federal , it is largely the persons responsible for an AI system—including designers, developers, providers, and managers—who are responsible for these assessments and measures. There will also be higher transparency in both the intended and actual use for high-impact AI systems. Any material harm should be reported to the Minister of Innovation, Science and Industry. Under this act, an Artificial Intelligence and Data Commissioner will assist the Minister in monitoring company compliance.

Bill C-27, if passed, is sure to be a milestone in the development of legal regulations for AI. Many law firms are closely monitoring this legislation’s progress since it was released. There are, of course, still many questions to be investigated, such as the potential chilling effect on innovation and the design of administrative penalties. The legislation will become more clear upon the second and third readings in the House of Commons and subsequent regulations.

The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>
Cybersecurity Attacks—War of a New Era /osgoode/iposgoode/2022/05/11/cybersecurity-attacks-war-of-a-new-era/ Wed, 11 May 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39538 The post Cybersecurity Attacks—War of a New Era appeared first on IPOsgoode.

]]>
Tianchu Cybersecurity

Photo by Michael Dziedzic ()

HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.

Cybersecurity has become a major battlefield in the war between Russia and Ukraine. Even before Russia invaded Ukraine on February 24th, it had launched waves of cybersecurity attacks on a range of important social sectors of Ukraine. The attacks in January focused on governmental websites. According to Ukraine officials, Russia had taken down around Ukraine government websites, including the central institutions such as the Cabinet of Ministers and the Security and Defense Council.

By February, brought down the websites of Ukraine’s defense ministry, army, and two largest banks: Ի. Russia used a sophisticated that reached hundreds of computers from different organizations in Ukraine, including the defense, aviation, finance, and IT service sectors. Although Russia never officially admitted it, believe that the Russian government is behind the groups that launched these attacks.

Quad9, a domain name system platform, detected attacks against computers and phones in Ukraine on March 9th alone. According to cybersecurity expert , Ukrainians are experiencing increasing numbers of phishing and malware attacks during the war.

The Ukraine government responded to the attacks with support from and . The NATO Cooperative Cyber Defense Center of Excellence at Tallinn, Estonia, collaborates with Ukraine to strengthen its national cyber security. The EU had deployed a rapid-response team of ten cybersecurity experts from six different countries to help Ukraine mitigate the effects of the cyberattacks.

In addition to state actors, large private companies have lent Ukraine critical support. For instance, is helping Ukraine with cybersecurity. announced on April 7th that it had disrupted cyberattacks from Russia targeting Ukraine and organizations in the United States and Europe. Its representative claims that Microsoft can observe Russia’s attack on the Ukraine government and infrastructure since the beginning of the invasion. Microsoft works closely with the Ukrainian government and other organizations to help them defend against the onslaught. Another example is , a space exploration tech company. It provides civilians and tech companies in Ukraine access to the Internet via satellite in rural or disconnected areas.

Private companies, especially tech giants, have been unprecedentedly active in interstate warfare. As cybersecurity becomes an increasingly important part of national security, big tech companies are likely to have more power and a higher level of involvement in global conflicts. While this change may benefit the public interest, it inevitably calls for more scrutiny and regulation.

The post Cybersecurity Attacks—War of a New Era appeared first on IPOsgoode.

]]>
Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it /osgoode/iposgoode/2022/03/17/hackers-arent-only-in-movies-the-rise-of-ransomware-incidents-in-canada-and-what-canadians-can-do-about-it/ Thu, 17 Mar 2022 16:00:59 +0000 https://www.iposgoode.ca/?p=39290 The post Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it appeared first on IPOsgoode.

]]>
Emily Xiang is an is an IPilogue Writer, President of the Intellectual Property Society of Osgoode (IPSO), and a 2L JD Candidate at Osgoode Hall Law School.

Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLPwhopractices in the areas of intellectual property and information technology law.

This article was on the OBA’s Information Technology and Intellectual Property Law Section’s .

The threat of cyber attacks is no longer restricted to TV shows and movies, with cyber security incidents like ransomware attacks becoming far more frequent in daily life. While the COVID-19 pandemic may have slowed many aspects of society, ransomware has seen a marked increase in recent years around the globe – and Canada is no exception.

THE GROWING RANSOMWARE THREAT

Ransomware incidents involve threat actors infiltrating an organization’s defenses and deploying malware to prevent the company from accessing its information. Though the specific tactic may differ between threat actors, users will ultimately find themselves unable to access vital data and key systems unless the organization pays a ransom to the threat actors, usually in the form of digital currency. During the incident, threat actors may also extract data from the company’s network, which can have serious privacy consequences for the organization and its customers. Not only will their data be in the hands of an unknown party, but in many cases, threat actors may threaten to publish the exfiltrated information online if the organization refuses to provide them with payment.

Ransomware saw record-breaking numbers last year. By the end of the first half of 2021, global ransomware attacks hadby 151% as compared to the previous year, with ransom payments of up to CAD$48.4M being paid out to hackers. In Canada, the Canadian Centre for Cyber Security (the Cyber Centre) has knowledge of at leastthat occurred over the course of 2021 (though, it is important to note that the majority of ransomware attacks go unreported). Out of the known ransomware incidents that were reported to the Cyber Centre, more than half involved critical infrastructure providers. However, the Office of the Privacy Commissioner of Canada (the OPC) stressesfrom an attack, as incidents of ransomware have occurred indiscriminately since 2020 in not-for-profit, professional, financial, transportation, manufacturing, and retail sectors.

The increase in ransomware incidence and scope in recent years is partly attributed to the growing sophistication with which cyberattacks may now be conducted. A number ofin ransomware have arisen, and are rapidly changing the cybercrime landscape. For instance, ransomware-as-a-service (RaaS) is a model that allows developers to sell and/or lease ransomware to cybercriminals whilst being paid a percentage of the profit. These kinds of schemes allow an increased number of unskilled threat actors to get a hold of sophisticated ransomware technology, while providing skilled attackers the opportunity to profit from the mass distribution of their work. The world has also seen an increase in victims of high-impact targeting, wherein more targeted attacks are being launched at supply chains and essential services in order to maximize potential victims and profits. For instance, many threat actors have leveraged the COVID-19 pandemic to aim at high-impact targets that have become especially vital in current circumstances, such as emergency medical services and law enforcement agencies. As stated by chief information officerat UTHealth in Houston, “[a]ttackers [targeting hospitals] understand that we’re talking about life and death. There’s a great incentive to just pay and get the thing unlocked so we can treat patients.” In finding more opportune ways to breach vulnerable organizations, threat actors are demonstrating that their targeting schemes are becoming increasingly sophisticated, as well as strategic.

SEVERE FALLOUT FROM ATTACKS

Ransomware attacks may have far-reaching implications on company operations. On May 7th, 2021, American oil companyfell victim to a ransomware attack that immobilised several of its computerized equipment systems. As a result, operations for the largest fuel pipeline in the US were temporarily suspended, resulting in price spikes and fuel shortages for millions of Americans. Even more recently, global human resources company Ultimate Kronos Groups (UKG) was also hit with a ransomware attack on December 11th, 2021, resulting in a worldwide shutdown of their cloud services. The incident impacted millions of users, with employees who relied on UKG’s cloud system reporting paychecks short by, as their employers struggled to find alternative means for managing payroll. Kronos is known totens of thousands of organizations – including half of the Fortune 100 – and more than 40 million people in over 100 countries everyday, including businesses in Canada.

A CALL FOR ACTION

The Cyber Centrethat ransomware will continue to pose a threat to national security and economic prosperity in 2022. They also predict that threat actors utilizing ransomware will likely become increasingly aggressive in their operations and targeting schemes. Similarly, the OPCthe potential harm that can result from this type of attack and considers such incidents to meet the real risk of significant harm threshold under thePersonal Information Protection and Electronic Documents Act. As part of an ongoing, national effort to mitigate the effects of ransomware and related cyber threats, theto take this matter seriously and address it head-on through adopting proper security measures.

PREPARING FOR RANSOMWARE ATTACKS

Cyber Security Preparations

To assist organizations in their cybersecurity preparation, the Cyber Centre recently released a(the Playbook) with guidance on how to defend against and recover from cyberattacks. It recommends that businesses implement cyber defence planning strategies, such as preparing multiple backup systems ahead of time. Backup systems provide organizations with a copy of their data, which can then be used for restoration activities in the wake of a ransomware attack. When developing a plan for implementing backup systems, it may be useful to contemplate the frequency and extent that the data should be backed up and storage considerations for the backup systems. The Cyber Centre advises that backups stored online within the organization or on a cloud platform are more commonly susceptible to ransomware attack, while backup systems stored offline, in a separate physical location from the main business site and disconnected from its networks, offer the most protection against ransomware incidents.

In addition to preparing backups, the Playbook has details on different cyber security controls that can be implemented as part of the organization’s defenses. For example, having multi-factor authentication (MFA) in place on company devices may assist in thwarting off threat actors. It may also serve to hinder threat actors from gaining full access to target systems in the event thattheyaresuccessful in getting past initial IT defenses. In addition to MFA, businesses may want to consider having a system that can continuously monitor their network and establish an acceptable baseline of activity. This can be used to flag anomalies in activity patterns and sound the alarm when there is a potential risk to the organization.

Planning Ahead

Apart from having technical controls, it may be prudent to consider creating plans that serve as reference guides during ransomware incidents. The Cyber Centrecreating an incident response plan that is geared towards cyber defense strategy, including detecting and responding to an attack. The incident response plan can include the objectives, stakeholders, responsibilities, communication methods, and escalation processes that are involved in the response strategy. To formulate this plan, organizations may want to conduct a risk assessment of their assets and identify the potential consequences that would result from them being compromised, so as to discern the business’ response priorities. When drafting the incident response plan, it may be beneficial to keep the plan simple and flexible, so that it can be easily adapted to the circumstances of the actual event.

To compliment the incident response plan, businesses could consider developing a disaster recovery plan that focuses on resuming operations after a ransomware incident. The Cyber Centrethat an effective plan should identify the entity’s critical information (e.g. financial records, proprietary assets, etc.), their most essential systems that are required for business continuity, and their most vital business functions. Once a plan is formulated, multiple trial runs should be conducted to determine potential areas for improvement.

More Options

In addition to the above ransomware-specific guidance, themay offer insight for organizations looking to improve their cybersecurity foundation. This program is mainly aimed at small and medium-sized businesses, but welcomes enrolment from all organizations in Canada. As part of the program, businesses are required to adopt measures in certain baselinethat reflect industry-accepted best practices and target key considerations for the organization’s systems and employees. Furthermore, implementing these controls has the added benefit of fulfilling prerequisites for the Government of Canada’s. The certification is valid for two years and can beat the organization’s physical location and on its website to let others know that their business has met the standard.

CYBER INSURANCE

When preparing for ransomware attacks, organizations may want to consider how they would fund response efforts in the event that a threat actor manages to get through their defences. Though a business is already insured, traditional insurance policies may provide limited or no coverage for cyber attacks. Reviewing one’s current insurance policy and acquiring adequate cyber coverage where it is lacking is a crucial step that should not be left out of any discussion on ransomware preparation.

MOVING FORWARD

In our current technological landscape, ransomware attacks and other cyber security incidents have unfortunately become a daily reality of doing business in Canada and around the world. In light of the rising threat, organizations are encouraged to approach the matter with equal tenacity. By taking the appropriate proactive measures, we can better safeguard our activities and mitigate the impact of ransomware attacks on our businesses.

The post Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it appeared first on IPOsgoode.

]]>
Canadian Ministers Issue Open Letter On Ransomware And Ransomware Playbook /osgoode/iposgoode/2022/01/12/canadian-ministers-issue-open-letter-on-ransomware-and-ransomware-playbook/ Wed, 12 Jan 2022 17:00:31 +0000 https://www.iposgoode.ca/?p=38854 The post Canadian Ministers Issue Open Letter On Ransomware And Ransomware Playbook appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on December 22, 2021.

On December 6, 2021, the federal ministers of Defence, Public Safety, Emergency Preparedness and International Trade, Export Promotion, Small Business, and Economic Development (the Ministers) released anto Canadians discussing the rise of ransomware attacks and offering guidance for organizations to curb this trend. Among the resources included in the letter, the Ministers refer to arecently published by the Canadian Centre for Cyber Security (the Cyber Centre).

In the open letter, the Ministers discussed the significant rise of ransomware threats targeting small and medium-sized businesses, health care organizations, utility organizations, and municipalities. During these attacks, threat actors would lock the organization out of its systems and only allow access once a payment is made, usually in a form of digital currency. To assist Canadians in this matter, the Ministers are working to provide the public with specific advice and guidance.

The Cyber Centre’s Ransomware Playbook is one of the newly released resources for Canadian organizations to better prepare against ransomware. The Playbook provides organizations with a basic understanding of the landscape and guidance on important issues, such as whether they should pay a threat actor’s ransom. It also includes suggestions on proper measures for organizations to mitigate the impact of these incidents. The Playbook is organized into the following two sections:

  1. How todefendagainst a ransomware attack, such as using
    1. cyber defence planning strategies like the implementation of backups systems and incident response plans; and
    2. cyber security controls throughout the organization’s network to add further protection.
  2. How torecoverfrom a ransomware attack, including
    1. immediate response actions to bring an organization’s system back under control after an attack; and
    2. recovery actions that will help an organization successfully rehabilitate its business for the long-term.

In closing the letter, the Ministers urged Canadians to take cyber security seriously and develop a proper protective infrastructure with updated technology measures that will make them well-prepared in their response to such incidents.

The post Canadian Ministers Issue Open Letter On Ransomware And Ransomware Playbook appeared first on IPOsgoode.

]]>
OSFI Launches Consultation On Draft Technology And Cyber Risk Management Guideline /osgoode/iposgoode/2021/11/26/osfi-launches-consultation-on-draft-technology-and-cyber-risk-management-guideline/ Fri, 26 Nov 2021 17:00:00 +0000 https://www.iposgoode.ca/?p=38698 The post OSFI Launches Consultation On Draft Technology And Cyber Risk Management Guideline appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on .

On November 9, 2021, the Office of the Superintendent of Financial Institutions (OSFI)a public consultation on Draft Guideline B‑13: Technology and Cyber Risk Management (the Guideline). It applies to federally regulated financial institutions (FRFIs) and addresses OSFI’s expectations in relation to technology and cyber risks.

The Guideline is organized into five domains, with each domain describing OSFI’s desired outcome for FRFIs in a certain aspect of technology and cyber risk management:

  1. Governance and Risk Management:the FRFI has a clear framework and comprehensive strategy to govern technology and cyber risks.
  2. Technology Operations:there isa resilient and scalable technology environment in place that is kept up-to-date by robust operating processes.
  3. Cyber Security:the FRFI is able to maintain the confidentiality, integrity, and availability of technology assets.
  4. Third-Party Provider Technology and Cyber Risk:third-party providers deliver reliable and secure technology and cyber operations to the FRFI.
  5. Technology Resilience:the FRFI has proper disaster recovery capabilities that allows the delivery of technology services through operational disruption.

In its announcement of the consultation, OSFI commented on the importance of stakeholder engagement to strike the appropriate balance between its prudential objectives, while still allowing financial institutions to compete. Accordingly, OSFI welcomes public feedback on the Guideline and is especially interested in feedback that addresses the clarity and application of their outlined expectations, the balance between principles and prescriptiveness in these expectations, and other suggestions that relate to OSFI’s mandate.

The consultation is open until February 9, 2022 and comments can be submitted atTech.Cyber@osfi-bsif.gc.ca.

The post OSFI Launches Consultation On Draft Technology And Cyber Risk Management Guideline appeared first on IPOsgoode.

]]>
The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments /osgoode/iposgoode/2021/10/14/the-u-s-department-of-the-treasurys-office-of-foreign-assets-control-releases-updated-advisory-on-sanctions-regarding-ransomware-payments/ Thu, 14 Oct 2021 16:00:12 +0000 https://www.iposgoode.ca/?p=38414 The post The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on October 13, 2021.

Ransomware attacks are on the rise, with the Federal Bureau of Investigation reporting a nearly 21% increase in reported ransomware cases and a 225% growth in associated losses from 2019-2020. On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued anto highlight the sanctions risks associated with ransomware payments to malicious cyber actors and proactive steps that companies can take to mitigate those risks.

OFAC has designated some malicious cyber actors in its cyber-related sanctions program and other sanctions programs to discourage payments of cyber ransom or extortion demands to these parties.

According to the advisory, U.S. persons are generally prohibited from engaging in transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by country or region embargoes. Furthermore, any transaction that may violate the International Emergency Economic Powers Act (IEEPA), including a transaction by a non-U.S. person that causes a U.S. person to violate an IEEPA-based sanction prohibition, is also banned.

In response to sanctions violations, OFAC may hold such persons civilly liable even if they were unaware that the transaction was prohibited under sanctions laws and OFAC’s regulations at the time. The OFAC’s Economic Sanctions Enforcement Guidelines describe the department’s enforcement policies, as well as mitigating factors that may be considered by OFAC, including:

  1. meaningful measures taken to improve cybersecurity practices and reduce the risk of extortion by sanctioned actors; and
  2. the reporting of ransomware attacks to government agencies and cooperation with law enforcement.

If those factors are present, OFAC’s resolution could be limited to a “no action” or a “cautionary” letter, rather than a public response. Businesses that fall under OFAC’s regulation should aim to revise their cybersecurity incident response plans to better align with the recommendations in the updated advisory.

The post The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments appeared first on IPOsgoode.

]]>
Ontario Court Of Appeal Finds Insurance Coverage Does Not Apply To Cyber Hack /osgoode/iposgoode/2021/04/23/ontario-court-of-appeal-finds-insurance-coverage-does-not-apply-to-cyber-hack/ Fri, 23 Apr 2021 13:00:00 +0000 https://www.iposgoode.ca/?p=37064 The post Ontario Court Of Appeal Finds Insurance Coverage Does Not Apply To Cyber Hack appeared first on IPOsgoode.

]]>
This article was originally published on on April 14, 2021.

On March 15, 2021, the Ontario Court of Appeal (the Court), inFamily and Children’s Services of Lanark, Leeds and Grenville v Cooperators General Insurance Company,, reversed the lower court’s decision that found that Co-operators General Insurance Company (Co-operators) had a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (FCS) and Laridae Communications Inc. (Laridae) against two claims in relation to a cyber hack.

Laridae was retained by FCS to perform communication and marketing services, including working on FCS’ website. FCS subsequently discovered that its website had been hacked and that a report containing personal information of 285 clients and subjects of FCS’ investigations was disclosed on Facebook without authorization. Both companies were insured by Co-operators and claimed that Co-operators had a duty to defend against the following two claims that arose out of the event:

  1. a $75 million class action brought against FCS alleging that FCS was negligent in securing its website; and
  2. a third-party claim in that proceeding brought by FCS against Laridae for negligence and breach of contract.

Co-operators denied that it had a duty to defend because its policies excluded claims arising from the distribution of data by means of an internet website. All three parties brought applications to determine the rights that depend on the interpretation of the policies.

The Court disagreed with the lower court’s finding that the matter could not be addressed by way of application, stating that there were no material facts in dispute requiring a trial and that the policy provisions in issue were clear and unambiguous. Upon assessing the issue, the Court found that the substance and true nature of both claims arose from the wrongful appropriation and distribution of confidential personal information on the internet. The Court held that all claims asserted were covered by the clear and unambiguous language of the exclusion clauses, and therefore Co-operators had no duty to defend either claim.

The Court did not waver when faced with FCS and Laridae’s argument that applying the data exclusions would nullify meaningful coverage under the policy. The Court held that the policies clearly stated that Co-operators would not insure against all risks, and therefore, holding the parties to the terms of the agreement, aligned with the reasonable expectations of the parties.

Written by M. Imtiaz Karamat, Osgoode Alumnus and Student-at-Law at Deeth Williams Wall LLP.

The post Ontario Court Of Appeal Finds Insurance Coverage Does Not Apply To Cyber Hack appeared first on IPOsgoode.

]]>