First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Cyberlaw, Internet Law

Security breach notification and reporting requirements are now in force under Canada’s PIPEDA

Canada’s long-awaited federal private-sector data breach notification and reporting requirements came into force on November 1, 2018.

 

, , , , ,

UK government guidance on risk and cyber: the very good and the very bad

The National Cyber Security Center (NCSC) is a part of the UK’s Government Communications Headquarters (GCHQ). If you are like me, you may have only heard about GCHQ in an unflattering context, that of working with US intelligence agencies to spy on foreign heads of state and hack foreign agencies.

 

, ,

Ten considerations for a cybersecurity incident response plan

If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.

 

, , , , ,

Targeting the “middle-man”: Intermediaries face $250,000 in penalties for aiding “malvertising” under CASL

CASL compliance has turned to a new group of actors: the service and infrastructure providers that spammers and fraudsters utilize to perpetrate CASL offences.

 

, , , , ,

SEC investigates cyber-related frauds

On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.

 

, , , , ,

Treating cyber as a business problem

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language.

 

, , , ,

Contractual considerations in robotic process automation and artificial intelligence outsourcing

RPA and AI technologies can be a game-changer for your organization from a commercial perspective, but procuring those technologies and managing the new risk landscape requires a fundamental shift in mindset vis-à-vis a traditional outsourcing contract.

 

, , , , , ,

First review of the GDPR: Four findings after four months

With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.

 

, , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

Casinos, cards and counter-strike: A brief overview of skin gambling in Canada and abroad

In recent years, the gaming industry has seen the rise of so-called “skin gambling” websites. Critics have been quick to raise red flags, citing the need for profound regulation and protective measures shielding children from such platforms. This bulletin explores the practice of skin gambling, including regulatory responses in Quebec and the rest of the world.

 

, , , , , , , , , , , ,

Recent SEC settlement is cautionary tale for Canadian public issuers on disclosure of cyberincidents and related risks

The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.

 

, , ,

Disclosure of forensic experts’ findings in data breach class action results in waiver of privilege

Given that maintaining privilege and confidentiality is a key objective in data breach incident response, organizations must structure their response teams and communications with a view to maintaining privilege.

 

, , ,

Online advisors: Stand-alone investment managers or tools for portfolio managers?

While the use of technology can lower the cost of investment advisory services, the introduction of algorithmic technology or other forms of artificial intelligence into the investment advice process introduces new risks to investors which raises questions.

 

, , , ,

Learning the basics on GDPR’s right to be forgotten

To manage the Europe Union’s new GDPR properly, ethics and compliance officers need to consider many parts within their organization, from IT capabilities, exception clauses, and customer service demands. And these parts must be managed and organized in such a way that they work together so that they do not fall apart.

 

, , , , , , , , , , ,

Previous Posts