Risk management
Education and training to mitigate cybersecurity risks is a prominent method companies are using, mentioned by 47% of organizations. The use of specialized processes and procedures, as well as implementing management systems, are among the key elements used to face these challenges. When specifying the frameworks used to support the cybersecurity strategy, ISO 270001, NIST2 and PCI-DSS3 were mentioned.
Education and training to mitigate cybersecurity risks is a prominent method companies are using,mentioned by 47% of organizations. Cybersecurity and privacy awareness sessions are the most common ways organizations are addressing this.
Only 8% of organizations disclosed their involvement in the development of collaboration initiatives to interact with peers, industry groups or policymakers to share ideas and identify leading practices to respond to cybersecurity challenges. Meanwhile, 5% of organizations use an external cybersecurity advisor.
Privacy
In a time when the Canadian PIPEDA has been amended to make mandatory the notification of data breaches if they represent a real risk of significant harm to the affected individuals, 50% of Canadian organizations identified their interest in effectively responding to privacy regulations, including PIPEDA and the EU’s GDPR, among others.
One-fifth (20%) of all organizations disclosed they have experienced some sort of cyberattack. These organizations belong to different industries, including the financial, retail, consumer products, mining, technology, telecommunications and services sectors. Nine organizations that experienced a cyberattack described it as being non-relevant, while three described how the event was significant for them.
Questions for management and the board to consider
- Have we documented, and do we fully understand, the cyberspace in which we and our business partners and other stakeholders operate?
- Have we taken steps to understand investors’ concerns about our exposure to cybersecurity risk and how we should address these concerns in our disclosures?
- Are we satisfied that cybersecurity risk and its mitigation receive appropriate attention in our governance structure? Is it clear who has the responsibility for overseeing this area?
- Have we assessed each of our core periodic documents separately for the kind of operational, financial and regulatory cybersecurity risk disclosures required? Do we have procedures in place to revisit this disclosure practice regularly?
- Have we defined internal procedures for assessing the materiality of cybersecurity breaches or other occurrences?