Agenda

Day One: Tuesday, February 15, 2022

10:15 EST

45 min
Raheel Qureshi Mike Vamvakaris

2020-2021 in Review: Cyber Predators on Steroids

Raheel Qureshi, Co-Founder and Partner, iSecurity Consulting

Mike Vamvakaris, Regional Director, IR & Cybersecurity Services, Crowdstrike

  • The unrelenting and overwhelming nature of cyberattacks in the last year
  • How and why attacks on health care organizations have escalated
  • Value of health information to threat actors
  • Nation states and ECrime actors and ecosystems
  • Trends in ransomware
  • Trends in phishing
  • Supply chain and data extortion methods
  • Role of “Access Brokers”
  • Malware as a service
  • Vulnerability intelligence

12:30 EST

45 min

Break

13:15 EST

45 min
Nicholas Studley

Update on Cyber Audits and Insurance: Where Is Your Organization Most Vulnerable? Where Do You Stand on the Preparedness Spectrum? What Insurance Do You Require?

Alexander Rau, Partner, Advisory Services - Cybersecurity, KPMG Canada

Gareth Lewis, Vice-President Claims, Healthcare Insurance Reciprocal of Canada

Nicholas Studley, Vice President (Cyber Practice), Marsh McLennan

  • Establishing your threat base line
  • Evaluating your readiness posture
  • Review of all systems, firewalls, anti-virus etc.
  • The need for regular cyber audit check-ups
  • What should be on the cyber audit check-list?
  • Where do you stand on the readiness spectrum in each area?
  • State of the cyber risk market
  • Underwriting cyber risk
  • What are your insurance coverage options?
  • Reading the fine print – What’s covered, what’s not?
  • Quantitative foundations for managing cyber risk
  • Cyber aggregate risk, silent cyber exposure, risk selection, reinsurance, catastrophic events
  • Trends in cyber insurance claims
  • Breach preparedness – key factors insurers consider when underwriting cyber insurance

14:00 EST

45 min
Lyndon Dubeau

Threat Detection: What Is Considered Effective Monitoring and Surveillance?

Jeff Curtis, Chief Privacy Officer, Sunnybrook Health Sciences Centre

Lyndon Dubeau, Vice President, Innovations for Connected Health, Digital Excellence in Health, Ontario Health

Hacking, denial-of-service (DoS) and ransom attacks, botnets, new malware, phishing, identity theft, identity fraud, criminal copyright infringement, use of obsolete accounts, cloud risk and more. Have you made the critical transformations in monitoring and surveillance required for cyber safety?

  • External attacks: Need for comprehensive and advanced threat detection
  • Need for business focussed cyber risk management
  • Critical transformations
    • Alignment around top business risks
    • Alerts to the right data out of a bottomless sea of data and alerts
    • Analytics for better intelligence and automation
  • What constitutes sufficient steps to meet legal obligations to safeguard and protect client/customer information

14:45 EST

15 min

Break

15:00 EST

45 min
Erica Zarkovich

How to Write a Privacy / Cyber Policy Employees Will Actually Follow and New Insights on Who Will & Who Won’t Comply

Erica Zarkovich, VP, General Counsel, Chief Privacy Officer & Corporate Secretary, LifeLabs

David Lahey, Founder & CEO, Predictive Success

Your policy contains everything it should. That’s the easy part! But is it working? Who is following it, who is not and why?

  • Content of the policy
  • Are employees aware of the content?
  • Do they understand it?
  • If they are aware of it, are they following it?
  • How do you know?
  • What stats and detection measure are in place?
  • What are the counter motivations that create the gap between policy and reality
  • How do you get employees to comply?
  • Are there certain sectors, positions or personality types more inclined to breach/follow policy and procedures?
  • Who is most inclined to go astray?
  • What training works for which personality type?
  • What Incentives, disincentives or deterrence works and for whom?

15:45 EST

45 min
Sean Mallen

Assessing Privacy & Cyber Security Team Bench Strength: Can the Team Do the Job?

Sean Mallen, Principal, Sean Mallen Communications

Steven Tam, Chief Data Governance & Privacy Officer and Assistant General Counsel, Vancouver Coastal Health Authority

  • Roles and responsibilities of the Privacy Office
    • Legal, functional and operational differences (CPO, DPO, GC, etc.)
    • Tools and reporting functionality to prevent and respond to PII risks
  • Roles and responsibilities of the CIO/CISO Office
    • Distinguishing IT and security
  • Responding to an incident; who does what, and according to what documents?
    • IRP – What does it look like?  How long should it be, and how should it be coordinated? (Based on NIST)
    • Incident classification against roles and responsibilities
      • IT incident
      • Security Incident
      • Privacy Incident
    • Timely involvement of contractors and third party expertise
    • Communicating effectively with stakeholders and data subjects on an incident
  • Assessing effectiveness of roles and responsibilities
  • Public communication/managing client/public expectations regarding cyber incidents
  • Tension between legal and communications about what should be released
  • Media and public relations
  • Setting out strategies for maintaining legal privilege with respect to communications and documentation relating to the incident
  • Dealing with law enforcement

16:30 EST

End of Day One

Day Two: Wednesday, February 16, 2022

10:15 EST

45 min
Imran Ahmad

Managing Privacy and Cyber Security Challenges of Remote Workers

Imran Ahmad, Partner & Head of Technology, Norton Rose Fulbright

  • The feeding frenzy for cyber predators when workers withdrew to hastily equipped  home offices
  • Need for a specific policy for home workers
  • Advice on phishing, ransomware, portable devices, destruction of records, de-identification
  • 5G and I0T – critical concerns around cyber security and Privacy
  • Is the cloud a safe place?
  • Business email compromise
  • Redefining the security perimeter
  • The zero-trust security model
  • Authenticating identification and identity attacks
  • Modern security principles around identities and data

11:45 EST

45 min

Vendor / Supplier Risk Management – Contracts with Agents – Avoiding the Pitfalls and Safeguarding Your Organization

Carole Piovesan, Managing Partner, INQ Law

  • What is the standard of care when it comes to selecting your service providers?
  • How do you assess the security of service providers?  Can you rely on their privacy and security policies?
  • Where are you vulnerable when agents are managing your data?
  • Do they contract any of your work out to other companies?
  • What’s their policy?
  • Contractual protections
  • What data are they retaining?
  • What data are they returning?
  • Where is the cloud storing your data?
  • Who is responsible for breaches of your data
  • If there is a breach of data held by the service provider
  • Can customer organization use the service provider’s policies as a defence?
  • Can the customer organization sue the service provider if policies were not followed?
  • Monitoring agent performance
  • What to do when the agent is falling short?
  • Managing risk and allocating liability
  • Vendor vetting and contract negotiation
  • What’s negotiable/what’s not?
  • What vendors and suppliers will and will not promise
  • Most contentious and most important contract provisions
  • Steps to mitigate risk when you can’t get the contractual terms you’re after
  • Checklist for evaluating how well you safeguard information in the hands of your third party providers
  • Formula for selecting options and services from third parties based on deemed acceptable risk level and sensitivity of information
  • Facebook/Cambridge Analytics

12:30 EST

60 min

Break

13:30 EST

45 min

The Incident Response Plan Panel and Fact Situation
How Will You Be Judged in the Aftermath of a Cyber Attack?

Moderator: Dan Michaluk, Partner, Borden Ladner Gervais LLP

Jaycee Roth, Associate Managing Director, Kroll

Jason S.T. Kotler, Founder, President & CEO, CYPFER Corp.

The incident response process can run away from an unprepared team and create unnecessary liability. Join our panel of experienced incident responders to walk step-by-step through an attack scenario so you understand incident response best practice and start preparing to achieve the optimal response.

  • Containment do’s and don’ts
  • What to communicate to stakeholder and the public, and when
  • How to establish a strong basis for a legal privilege claim
  • Sharing threat information and engaging with law enforcement. Why, when and how
  • The role of the experts – counsel, the incident response technical provider and the negotiator
  • When and how to pay a ransom
  • Interpreting the evidence – pitfalls, and why to avoid notifying based on speculation
  • When to notify and report – when and how to notify, handling multiple jurisdictions
  • Closing the file – when are you done and what does that involve? Recordkeeping considerations

14:15 EST

45 min
Alex Cameron

Private Actions & Class Actions – Tort Litigation - What Can You Expect?

Moderator: Alex Cameron, Partner & Chair, Privacy & Cybersecurity Group, Fasken

Ted Charney, Principal / Senior Partner, Charney Lawyers

Cathy Beagan Flood, Partner, Blake, Cassels & Gordon

  • Recent decisions and key developments in the caselaw
  • Overview of key causes of action in privacy class actions
  • The impact of parallel regulatory proceedings
  • Practical mitigation of privacy class action risk
  • Privilege considerations for cyber investigations

16:00 EST

End of Day Two