Skip Ribbon Commands
Skip to main content

Striking a Critical Balance Between Effective Cybersecurity and Compliance


This article was originally published by the Conference Board of Canada, Strategic Risk Council.

​Richard Arthurs, National Governance and Risk Management Leader, MNP LLP

Imran Ahmad, National Leader of Cybersecurity, Miller Thomson LLP

Most industries are scrambling to assess the risk associated with their critical infrastructure assets and to understand how to prioritize those that are the most vulnerable to cyber attacks. This exercise is essential when building a compliance program that can serve as evidence for compliance with regulatory requirements, such as the Critical Infrastructure Protection (CIP) Standards created by the North American Electric Reliability Corporation (NERC) for the utility industry.

In recent years, compliance requirements have been driving significant investments in resources for many industries. One of the key challenges for organizations operating in the critical infrastructure space is the need to strike a balance between dedicating appropriate resources to compliance efforts on the one hand and responding to cyber attacks (large and small) in real time on the other. All organizations have limited resources. Therefore, the expertise and money required to design, build, document, test, and collect evidence can quickly use up a significant amount of resource time and budgets.

Imagine a scenario where hackers are using new techniques that exploit weaknesses, which the standards required by regulatory bodies have not yet contemplated. In most instances, hackers will exploit known (often public) vulnerabilities in order to gain access to and compromise an organization’s network and data. Hackers do not focus on compliance standards: they focus on the weakest link in the bulk electric system (BES).

Accordingly, the critical balance between effective cybersecurity and compliance will need to take into consideration two competing mindsets. One is a risk-based mindset that can continuously find efficient ways to maintain compliance, and the other is a fast-moving mindset that thinks like a hacker. A well-designed, integrated team of people with expertise in multiple disciplines can establish this balance.

The Government Is Scrutinizing Critical Infrastructure

Shortly after his election, Prime Minister Justin Trudeau released copies of the ministerial mandate letters that he issued to his ministers. These letters outlined a broad framework for what ministers are expected to accomplish during their term, including specific policy objectives and challenges that need to be addressed.

The ministerial mandate letter issued to the Minister of Public Safety and Emergency Preparedness lists several priorities, most notably: “Lead a review of existing measures to protect Canadians and our critical infrastructure from cyber threats, in collaboration with the Minister of National Defence; the Minister of Innovation, Science and Economic Development; the Minister of Infrastructure and Communities; the Minister of Public Services and Procurement; and the President of the Treasury Board.”

Since the release of the ministerial mandate letter, the Minister of Public Safety and Emergency Preparedness, Ralph Goodale, has conducted a public consultation process in an effort to identify some of the challenges and opportunities that cyber security presents to Canada and Canadians.

The initiative was designed to build upon the existing Public Safety’s Action Plan for Critical Infrastructure 2014–2017, which outlines the government’s current cyber strategy for protecting critical infrastructures. Broadly speaking, critical infrastructure refers to processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, and economic well-being of Canadians and to the effective functioning of government.

The national strategy outlined by the Minister identifies 10 key sectors considered to be “critical infrastructure” that range from organizations operating in the energy and utilities space to those in the health and telecommunication industries.

The Canadian government has clearly recognized the importance of these sectors and, more so, has noted that if left vulnerable to a cyber attack, it could have a detrimental effect on how businesses carry out their day-to-day operations. If a significant cyber attack were to successfully compromise a critical infrastructure, this could result in a series of effects across a variety of industries and sectors.

With this backdrop, it is no surprise that governments at every level are now expecting regulatory bodies to not only ask critical infrastructure stakeholders — including those operating in the energy and utilities space — to provide evidence of overall compliance with established cybersecurity standards, but also to demonstrate that they are prepared to effectively respond to potential cyber attacks.

How to Prepare

Given the ongoing expectation of cybersecurity-related compliance and the additional need to respond to scrutiny of their cyber incident response readiness, organizations in the energy and utilities sector need to adopt a multidisciplinary approach that incorporates risk management, cybersecurity, and legal expertise.

While one size does not fit all, we list four key steps that organizations can take to effectively respond to the dual requirement of compliance and overall cyber readiness including cyber response.

Step 1: Conduct a Full Critical Infrastructure Asset and Cyber Security Risk Assessment

A full critical infrastructure asset risk assessment is the first step to an effective and efficient compliance framework for Version 5 of the critical infrastructure protection cybersecurity standard, which is a priority for most regulated entities in Canada.

A cyber risk assessment will help an organization identify strengths and weaknesses, and develop a strategic plan for management to ensure that their digital assets are protected from intentional or accidental misuse, loss, and abuse. This will ensure the overall security of the organization. This exercise should be conducted regularly by external experts who can provide an objective assessment of the organization’s cyber posture by benchmarking it to known standards and / or industry standards and best practices.

A cyber risk assessment will help an organization identify strengths and weaknesses. Many utilities have placed reliance on either their internal audit function or the IT function to employ external experts to conduct ethical hacking (cyber testing) exercises. This testing ranges from phishing e-mails; social engineering; physical security breaches; denial of service attacks; or direct penetration tests by expert hackers who only want to expose vulnerabilities, and not cause harm to the grid or related systems.

The results of these tests make it easy to identify the risk exposure in each regulated entity. These results are proving to be extremely valuable for an affective board-level IT governance program.

Step 2: Build a Risk and Control Framework (Optimizing Effective and Efficient Controls)

At the end of the day, all regulated entities need to place significant reliance on effective and efficient controls to mitigate the risk related to real-life hacking attempts and provide evidence of compliance with recognized standards. They should place emphasis on maximizing the cost-effective use of preventive and automated controls. These are controls that stop the risk before it happens and can operate with little or no human intervention. An excellent example would be the use of security access cards that only allow admittance to high-risk locations to specific, pre-approved people.

Step 3: Consider “Legal Privilege”

If an organization has not yet conducted a full cyber risk assessment, or has not done so for a long period of time, the reports generated to complete the assessment may be susceptible to unwanted production and discovery if engaged in litigation related to a cyber attack. To prevent the disclosure of sensitive information, documents, reports, or investigations, serious consideration should be given to whether or not to have legal counsel involved as a means to potentially assert “legal privilege” in the case of litigation.

While legal privilege is not an absolute shield, it can provide an organization with the right to deny production of particular documents in the course of discovery. If the documents are created by counsel, externally or internally, an organization can claim legal privilege in instances where the report was generated as a form of communication between the client and solicitor. The privilege will extend to any communications that were made with respect to legal advice being sought from a solicitor, whether or not litigation is involved. A claim for privilege essentially excuses a party from its legal obligation to produce documents to the opposing party.

By having counsel involved with the risk assessment, organizations will have greater ease claiming that the investigative reports generated should be protected by privilege. The last thing any regulated entity wants to do is provide the hackers with information on their greatest cybersecurity vulnerabilities.

Step 4: Create a Clear Roadmap to Prioritize Allocation of Resources

Based on the results of the assessment, organizations can make informed decisions on what the critical vulnerabilities from a cybersecurity standpoint are, which remedial steps need to be taken, and which steps should be addressed as a priority. This road mapping exercise is particularly important since it will guide management teams (and the board of directors) in allocating the necessary resources.

This road mapping should be integrated with a customized risk management framework that will identify risk to leadership and the board. This will show where net risks (risk net of controls and mitigation plans) related to cybersecurity or compliance are still in excess of the board’s risk tolerance. IT governance should continuously manage the expectations of the board and leadership, to let them know if incremental investment is needed to reduce risk even more (within the defined risk tolerance and appetite).

Cyber threats constitute a significant and unique risk to organizations operating in the critical infrastructure space. Therefore, organizations require a multidisciplinary team that can help decision-makers balance the challenge of allocating appropriate resources for compliance on the one hand and responding to cyber attacks (large and small) in real time on the other (This is particularly true given the interest by governments and regulatory bodies to secure Canada’s critical infrastructure.). This team should consist of experts with knowledge in the industry, the reliability standards, risk management, audit, cybersecurity testing, and cyber-specific legal counsel.

At the end of the day, no entity wants to be seen as the weakest link in the bulk electric system.

Contact Richard Arthurs, CPA, CMA, MBA, CFE, CIA, CRMA, QIAL, National Leader – Governance and Risk Management, Enterprise Risk Services, at 587.702.5978 or [email protected].