The federal government is mulling “safe-harbour” disclosure rules for companies that fall victim to cyber attacks, according to documents obtained by The Logic, amid concerns that it lacks insight into the cyber-insurance industry at a time when ransomware attacks have proliferated. 

Safe-harbour rules are legal provisions that typically allow companies to sidestep some liabilities or penalties, provided that certain conditions are met. Such a move could come alongside stricter reporting requirements for the private sector, placing fresh obligations on companies as regulators seek to restrain ransomware attackers.

In an internal report by Public Safety Canada, obtained by access-to-information request, government officials warned that they had only “limited” insight into the cyber-insurance industry, in large part because many security breaches go unreported by companies. The existence of non-disclosure agreements in some insurance policies has further added to that lack of reporting, the document says, which “impacts the ability of law enforcement to initiate or advance an investigation.”

Public Safety Canada did not provide The Logic with further details on the safe-harbour rules. Safe-harbour proposals from the April 2021 report have not yet been brought before the minister, the department said. 

The department’s concerns come as the cyber-insurance industry reels from a sharp increase in ransomware and other attacks in recent years, intensified by a global pandemic that forced many companies to accelerate the digitization of their operations. The number of ransomware attacks in North America leapt 151 per cent year over year in the first half of 2021 alone, according to a study by SonicWall, a cybersecurity provider. That has tested the financial limits of insurance companies, which have dramatically hiked premiums in recent years to cover higher rates of payouts. 

To better track cybercrime in Canada, Public Safety officials have in turn floated recommendations to step up companies’ disclosure when breaches occur, which “could include the development of safe-harbour disclosure rules,” the report says.

The shift would follow a similar proposal brought forward in the U.S. in October by Sen. Elizabeth Warren and Rep. Deborah Ross, whose Ransom Disclosure Act would force companies to disclose security breaches. The bill would also force companies to disclose the type of cryptocurrency they may have used to pay ransoms.

Currently, Canadian companies are required to report security breaches to the federal privacy commissioner, but only if the company deems there to be a “real risk of significant harm” to itself or to third parties, according to the government’s website. Disclosure rules can fluctuate based on the province where the company is based; Alberta, British Columbia and Quebec all have their own privacy laws. 

Other regulators have already begun tightening their reporting requirements. In an updated advisory this summer, the Office of the Superintendent of Financial Institutions (OSFI) removed a threshold that said only security breaches of “high or critical severity” would need to be reported to the agency. Federal institutions must now report any cybersecurity incident, the update said. It also trimmed down its allowable reporting period from 72 hours after an attack to within 24 hours. 

The cyber-insurance industry has been under financial pressure as cyber attacks became more frequent during the pandemic, exposing a relatively young industry compared to legacy areas like auto or life insurance. Many Canadian firms remain uninsured. Only 15 per cent of the 300 business owners surveyed in a recent Leger poll had standalone cyber-insurance policies. 

“The danger for the insurance companies is they don’t have decades of actuarial data to tell them how likely it is they’re going to have to payout,” said Brent Arnold, partner at law firm Gowling. 

Cyber insurers, increasingly leary of mounting payouts, have hiked premiums as a result. Direct-loss ratios, which measure an insurance company’s total paid claims versus its total premiums, spiked to nearly 499 per cent in the second quarter of 2020, up from 154 per cent the year before, according to the Public Safety report, citing OSFI data. 

The jump was widely attributed to a spike in remote work during the pandemic, which limited the ability of companies to secure internal data. 

The Public Safety report obtained by The Logic was part of a briefing note provided to Natural Resources Canada deputy minister Jean-François Tremblay. 

Hackers target Canadian energy and utilities at nearly double the rate of all other industries combined, according to a document previously obtained by The Logic, creating “significant consequences for national security, public safety and the economy.” 

The Northwest Territories Power Corporation suffered a ransomware attack in 2020 that led to a six-week shutdown of the public utility’s IT systems. Georgia-based Colonial Pipeline was forced to shut down its oil-pipeline network in May following a ransomware attack, suspected to have been carried out by Eastern European hacking group DarkSide. The company reportedly paid a ransom of roughly US$4.4 million. 

Meanwhile, Public Safety’s report also raised concerns about insurance policies that cover ransom payments, known as extortion coverage, saying they could heighten a company’s risk. Hackers will sometimes determine that payments will be more forthcoming from companies with extortion coverage, and select their targets accordingly. 

“While obtaining cyber-liability insurance may make an organization feel safer, anecdotal examples suggest that it may increase their vulnerability,” the report says. 

That has led some governments to propose an outright ban on ransom payments in an effort to snuff out criminal activity. Authorities in New York have proposed legislation to ban companies from paying ransoms, while Pennsylvania, North Carolina and Texas are floating policies to ban public institutions from paying cyber criminals.

Some experts are sympathetic to those concerns. 

“It basically feeds the beast,” said Gowling’s Arnold. “The theory has always been that anything that sees criminals rewarded for this behaviour perpetuates the cycle of cybercrime,” he said.

Arnold has years of experience working with companies who have been the target of cyber crime, coordinating emergency response plans and sometimes hiring ransomware negotiators. 

He cannot identify his clients for privacy reasons, but says recently they have included organizations from a small contractor in the construction industry to a large Canadian public institution. Companies often choose to pay ransoms, he said, particularly in cases where data is sensitive, or if the release of data could trigger legal challenges from third parties.

Imran Ahmad, head of technology at Norton Rose Fulbright Canada, argued that it could be oversimplifying to assume that extortion coverage can heighten a company’s risk, saying that insurance policies are often deeply complicated and come with a long list of conditions that could be indecipherable to outsiders.

“Just because a company has million-dollar extortion coverage doesn’t mean that there’s a million dollars sitting right there, or that the insurance company would pay it,” he said.