Privacy Commissioner recommends ransomware insurance
The Privacy Commissioner of Ontario recommends businesses consider an insurance policy that will cover first-party costs to respond to a ransomware attack.
“Consider obtaining a cyber insurance policy that offsets costs associated with incident response such as forensic investigations, legal fees, data recovery services and financial fraud,” the office notes in a 13-page “technology fact sheet”, updated from October 2022.
Twenty-four percent of Canadian businesses have been victims of a successful ransomware attack in the past year, up from 17% from the same time last year, according to the detailed How to Protect Yourself fact sheet. against ransomware. This August 2022 data is from the Canadian Internet Record.
A quarter of Canadian businesses said the ransomware attack damaged the reputation of their customers and/or suppliers.
In addition to considering cyber insurance, the privacy commissioner says a company should create a risk management plan to reduce the number of entry points for cyber hackers to enter the computer system organization, including through third parties connected to the company’s supply chain.
“Have a risk management program in place that establishes requirements for regular security assessments of internal IT systems and third-party service providers,” the fact sheet says. “This may include vulnerability scans, penetration testing, threat/risk assessments and privacy impact assessments.”
To ensure accountability, the Privacy Commissioner suggests companies create a “privacy and security governance committee comprised of senior executives responsible for information technology, legal, access and confidentiality.
The commissioner also calls for detailed accounting of the data and information stored by companies. A company should audit its business documents to find out what data it has, the sensitivity of its various documents, and then determine the level of protection required to protect the information.
“Taking reasonable steps to protect information from ransomware attacks requires a clear understanding of the information your organization holds,” the fact sheet states. “This includes keeping records of the sensitivity, volume and nature of your organization’s various information holdings.
“You need to document where your information is stored. This applies to cloud computing environments as well as other service providers who process information on behalf of your organization.
“Your organization should:
- Maintain an asset inventory that tracks where and how information flows through your organization, such as computer systems (servers, workstations, mobile devices) connected to your organization’s network, what information is stored in those systems, domains of responsible for the information stored in these systems, hardware and software version information, and contact information for the responsible IT administrators.
- Classify and label information and IT assets according to their sensitivity (the level of harm that can result from a loss of confidentiality, integrity or availability of this information). Put in place guarantees proportional to the levels of classification of sensitivity.
Image courtesy of iStock.com/Just_Super