WHITE PAPER: 2021 Outlook for Canadian Board Cybersecurity

This article was a Whitepaper published in 2021, click here to find our latest whitepapers.

As of January 2020, the estimated cost of cybercrime in Canada, including both individuals and businesses, was $3 billion. The corporate cybersecurity landscape changed significantly after that due to the pandemic. Before March 2020, much of the existing digital security infrastructure was designed to work either in or from a company’s physical offices. Only some key employees were given secure remote access through VPNs or other means.

2021 Outlook for Canadian Cybersecurity

All of that changed in March 2020, when many businesses had to adopt teleworking. As of November 2020, 64.9% of Canada’s workforce was working remotely, according to Statistics Canada. This trend is due to continue, with Canadian businesses reporting an increased willingness to let their employees work from home once the pandemic is well under control.

The shift to working from home happened at a time when executives were just starting to become comfortable with cloud software solutions, with some holdouts still believing that the cloud was insecure. “CIOs need to ensure that their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries,” says Jay Heiser, Vice President Analyst, Gartner. “Exaggerated fears can result in lost opportunity and inappropriate spending.”

There is a common misconception that cloud technology is inherently unsafe because data isn’t stored on a physical device which a company has control over. These fears are largely unfounded and are based on media headlines about large-scale hacks which usually happen through successful fake email campaigns. These types of incursions have nothing to do with where the data is stored, but how it is accessed. In many cases, high-profile hacks such as the October 2019 attack on LifeLabs would have happened regardless of where the server was located.


In addition to transitioning to the cloud, businesses also had to face increased risk
in the cybersecurity landscape at the start of the pandemic. Hackers rightly saw the
opportunities available to them with so many employees going remote, especially in
sensitive sectors such as financial, healthcare, and government.
The Canadian Centre for Cyber Security is a new agency formed by the Canadian
government to combat such threats and educate the public and businesses. Its report,
National Cyber Threat Assessment 2020, has a number of key findings that boards should
pay attention to:

  • Cybercrime continues to be the most likely threat which will affect Canadian
  • businesses
  • Ransomware will continue to target large enterprises and infrastructure
    providers; the average ransomware payment in Q1 of 2020 was $150,000
  • The number of threat actors is rising, and they are becoming more
  • State-sponsored actors will continue to conduct industrial espionage
  • Managed Service Providers (MSPs) are the favourite target of threat actors


Data privacy laws are inextricably linked to cybersecurity. A cybersecurity strategy and
proper execution are part of the proactive measures necessary to ensure that a business
is not hit with hefty fines if it has a data breach. As such, cybersecurity is not just about
safeguarding sensitive data, but managing potential regulatory risk.

Several data privacy regulations govern Canadian business, but the one to watch out for in
2021 is the new Digital Charter Implementation Act. While it is only in the draft legislation
phase as of December 2020, it is due to come into force in 2021.

The new Act will bring Canadian data privacy laws in line with other countries and
jurisdictions, most notably the EU’s General Protection Data Regulation (GDPR), in terms
of the enormous fines a business will be subject to if a customer’s personal data is not
appropriately safeguarded and customers are not notified of a data breach. In fact, the
new Act imposes fines greater than that of the GDPR, with maximum fines of five percent
of a company’s global revenue or $25 million, whichever amount is greater. Borden Ladner
Gervais LLP has put together an excellent breakdown of how this new law will affect
Canadian businesses.

In addition, companies will need to use plain language rather than a lengthy legal jargonfilled agreement in order to use personal data.

The cybersecurity and regulatory landscape are ongoing challenges that should be
taken into consideration when a board helps to guide the creation of its company’s
cybersecurity strategy for 2021.


The 2020 EY Global Information Security Survey found that 34% of surveyed Canadian
businesses have not fully articulated their cybersecurity risk, compared with 16% of
global respondents. Rather tellingly, 43% of boards at surveyed Canadian businesses
cannot quantify cybersecurity risks in financial terms.

Yogen Appalraju, EY Canada Cybersecurity Leader, has this to say about how
cybersecurity teams should communicate with the board. “Cybersecurity teams must
learn to speak the board’s language to better communicate the severity and business
impact of different risks. Increased education and engagement among this group should
trickle down into the business to drive awareness, while helping to secure the buy-in for
funding and resources needed to address growing threats.”

While it is important to quantify risks in financial terms, the board should also have a
holistic view of their organization’s cybersecurity risk and strategic plan.


The board’s responsibility is to stakeholders and investors, and as such is the last stop
for risk management. It is up to the board to ensure that the company has a sound
cybersecurity strategy, that the strategy is being implemented, and that dollar values are
assigned to cyber risk. There are several ways a board can help to work towards that goal,
and the first step is to form a cybersecurity committee.

This can include upper management, the Chief Information Security Officer (CISO),
legal, representatives from IT, and the top cybersecurity experts at a company. Regular
presentations of the committee to the board will ensure that the board is always aware of
the company’s cyber risk exposure.

Make sure that metrics are being delivered by the committee which can be included in
board reports. These metrics should assign dollar values to cybersecurity risks so that a
board has a clear understanding of the numbers, and cybersecurity risk financials should
be included in the company’s risk management profile.

The committee should also be instrumental in the creation of an annual cybersecurity
strategy, which is reviewed at each quarter for effectiveness and against established KPIs.


DiliTrust meets and exceeds cybersecurity best practices and is the trusted solution for some of
the largest enterprises in the world. All support is conducted in both English and French from its
Montreal offices.

DiliTrust offers its DiliTrust Governance suite, which is designed to automate the processes of legal departments and governance bodies.

This suite is composed of different modules, as follows:

  • Board Portal
  • Contract Management
  • Documentation Library
  • Entities Management
  • Litigation Management

Contact DiliTrust today for a demonstration of what the DiliTrust Governance suite can do for your organization.