Cyberattacks are, unfortunately, a persistent risk to organizations and their operations. While many see cybersecurity as primarily a technology issue, the core of cyber resilience lies in ensuring your teams are prepared, coordinated, and able to take swift action in the event of a breach.

At the Strategies for the Future Conference in October, Miller Thomson lawyers Jasmine de Guise and David Krebs, along with Debora Monteiro, Director, Cyber Defense & Resilience at Deloitte, presented a clear action plan on how to prepare for, respond to, and successfully recover from cyberattacks.

What is cyber resilience?

Firewalls alone are no longer enough. Cyber resilience calls for an integrated legal, technical, communications and leadership response ecosystem.

A well-prepared team must be able to:

  • quickly identify and contain threats;
  • mitigate the damage; and
  • securely restore operations while preserving the evidence required to investigate and understand the nature of the incident, including the root cause, in order to prevent similar incidents.

How to respond immediately after a security incident

In a data breach, the first hours are critical. In the initial stages after a breach, it is vital to take a calm, methodical approach. Experts recommend the following steps in any response plan:

  1. Do not rush into action. While shutting down systems (“unplug everything”) is a natural response, it could destroy key evidence and make things worse. Monitoring the attack as it unfolds can help track it and pinpoint its source.
  2. Gather your incident response team. This group should quickly bring together technical, legal and communications experts with senior management. If you do not have a team identified in advance, your insurer and/or counsel will be able to help you.
  3. Assess the situation. Gather the facts and analyze the affected systems. Be aware of the “crown jewels” (the data that matters the most).
  4. Contain the threat. The primary goal is to limit the attack’s spread and secure the backups.
  5. Notify your insurer. Advise your insurer, even if not all facts are available.
  6. Ransomware. In these situations, multiple crucial decisions must be made, including whether payment would be considered and under what circumstances. Assess the possible outcomes of paying vs refusing to pay, or interacting with the threat actor, and take next steps accordingly.

Takeaway: Plan for incidents in advance. Consider implementing a cyber incident response plan that is tested regularly via “tabletop exercises” with management and/or your board.

Maintain a hard copy of your response plan and list of emergency contacts (experts, lawyers and insurer). This will be useful if it becomes impossible to access computer systems. Reaction speed matters, but considered and coordinated action is even more crucial.

Preparing effectively to minimize impact

Most breaches are a result of human error: clicking on fraudulent links, poor password practices, or unsafe use of personal devices. The solution? Raise awareness among all employees, regardless of their rank or role. Train them and make them accountable.

  • Train employees and raise awareness. Human error is a major cause of breaches. Ongoing training and phishing simulations are essential.
  • Run drills and tabletop exercises. Regularly organize cyber incident simulations with all stakeholders (technical, legal, communications, management) to test your plan and sharpen your reflexes.
  • Demonstrate due diligence. In the event of an incident, you will need to show that you have implemented reasonable protective measures. Documenting your actions can protect you.

Takeaway: Companies that proactively prepare and test their response are more resilient and suffer considerably lower costs and fewer complications when an actual incident occurs. 

Legal obligations following a personal data breach

Not all cyber incidents result in reportable personal data breaches, but many do. It is a core responsibility of any organization to determine whether individuals, the regulator or other authorities or organizations must be notified. In Quebec, the Act respecting the protection of personal information in the private sector imposes strict obligations on companies, including the obligation to protect personal information in their custody and control, and to notify impacted individuals if the breach may cause a real risk of serious injury/real risk of significant harm. These obligations also exist under federal law and the Alberta Personal Information Protection Act. Importantly, transparency is expected by business customers and consumers alike.

The determination of whether there has been a reportable breach involves a legal analysis that must be based on evidence gathered during the investigation, which is why it is important to obtain expert advice.

Breaches do not always happen in-house. Your business may have legal obligations based on a breach at a service provider in your supply chain, if that supplier handled personal information on your behalf, or introduced vulnerabilities into your business’s systems. Having the right contractual clauses in place to protect your business and stakeholders is an important tool in a successful response.

Takeaway: Transparent communication that complies with the law is imperative. Failure to meet these obligations can result in regulatory fines, lawsuits, and loss of customers’ and partners’ trust.

After an attack: Rebuild and learn

A crisis is also an opportunity for improvement. Companies that emerge stronger from an attack are the ones that:

  • conduct proper investigations;
  • communicate at the right time and with the right message to the appropriate stakeholders;
  • identify the root cause and correct the gaps; and
  • adjust their policies and processes for continuous improvement.

Conclusion

A good cybersecurity strategy is built not solely on systems, but on a rigorous plan, a prepared team, a solid legal framework, and a proactive organizational culture. By using all these pillars, companies can truly protect what matters most: their reputation, their data, and their customers’ trust.

For detailed advice on how to develop a customized plan to strengthen your company’s resilience to cyber threats, contact Miller Thomson’s Privacy and Cybersecurity group.