Legal Strategies for Financial Institution Cybersecurity and Minimizing Risks

8 avril 2016 | Lisa Abe-Oldenburg

( Disponible en anglais seulement )

IT infrastructure, including data management and telecommunications, is becoming the nervous system, if not the brain, of many companies. The failure, interruption or security breach of this infrastructure, can have catastrophic business implications to financial institutions. With proper legal due diligence, corporate policies and contractual terms, the risks associated with the implementation of innovative technologies and cloud computing can be minimized.

The Cost of Cybersecurity

According to recent studies, the average cost of one security incident to an organization is $7.2 million. Yet in the financial services industry, the majority of organizations are spending only $1 million-$10 million annually on information security preparedness.

It is shocking to hear that most security breaches go unnoticed for a total of 205 days, allowing attackers time to further discover and infect an organization’s computer systems and syphon out valuable data. With multi-tenanted cloud service databases or shared technology platforms, the damages could be even more severe, as a single flaw or vulnerability in one area could allow an attacker to access not just one company’s data, but every other company on that system as well. Cloud service providers are prime targets, given the vast amounts of data that they often store, as well as the ease by which a criminal can sign up for their services to get access to their systems.

In addition, with the growth of the Internet of Things (IoT), more sensors and machines are coming online and communicating data without any human intervention, leaving vulnerable access points and further compounding risk. Other cyber threat access points include apps that are downloaded to employee mobile phones, tablets or laptops used for business under an organization’s bring your own device (BYOD) policy. Also, many open source software (OSS) programs used in proprietary software development are not secure.

Legal Best Practices for Cybersecurity

So what should a financial institution be doing from a legal perspective to address cybersecurity threats and ensure it is following best practices?

First, it needs to have up-to-date internal policies that cover current information security threats, data management, software development, OSS use, employee monitoring, employee privacy, BYOD, business continuity and disaster/data recovery.

Second, it needs to implement proper breach identification, assessment, blocking and notification procedures.

Third, a comprehensive review of all its legal contracts should be done, to ensure that they contain robust cybersecurity protection clauses and that there are no other terms in the contracts which could excuse an outsourced service provider or software and technology vendor from liability for their cybersecurity responsibilities.

Proper legal due diligence includes not just a document review, but also a risk assessment of the service provider and applicable legal jurisdictions, as well as compliance review of OSFI guidelines, Canadian privacy and banking laws, data storage requirements and third party relationship management.

New Contract Terms for Cybersecurity

Historical commercial contracts are no longer sufficient, as they fail to properly address cybersecurity. Key provisions of vendor and supplier contracts that need to be revised include definitions of “data”, “confidential information” and “material breach”, as well as terms dealing with confidentiality and permitted disclosure, service levels (SLAs), business continuity, testing, force majeure, audit, reporting, limitations on liability, disclaimers, warranties and indemnities, among others.

New provisions that must be added to commercial contracts include the definition of “information security incidents”, as well as terms dealing with security breach prevention and safeguards, security training, monitoring, identification, notification and handling of incidents, standards of encryption, data and storage media handling, testing and certification of deliverables and services for cybersecurity, security breach covenants including triggers and escalation processes, investigation and remediation assistance, impact statements and cost allocation for crisis management and public relations, among others.

How We Can Help

Most financial institutions have not yet updated their outsourcing contracts, or reviewed their vendor relationships, to provide enough protection for IT security. At Miller Thomson, we have developed extensive cybersecurity and technology law expertise to provide financial institutions with proper legal analysis, opinions and recommendations for corporate policies, contract terms and due diligence, as well as assisting with security incident management. Addressing cybersecurity risk is a board of directors’ duty that cannot be ignored. For more information or enquiries, please contact Lisa Abe-Oldenburg at or 905-415-6484.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d'autres sources et nous ne garantissons pas son exactitude. Cette publication n'est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d'information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à

© 2023 Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu'aucune modification n'y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à