EY teams up with two other firms on cybersecurity

A new collaboration uniting cybersecurity, law and reputation management is a first for Canada and possibly the world.
Corporate Managers Working at the Table in Monitoring Room. Room is Full of State of the Art Technology. Computers with Animated Screens.

It’s an issue that should concern any organization. Executives are routinely asked if they feel ready to tackle emerging cybersecurity threats, to which the answer is “no.”

Recent research reveals this worrisome trend: either companies employ far fewer cybersecurity experts than they think they need; or they do not have a formal data protection plan in place; or they remain unaware of what their regulatory responsibilities are in the case of a security incident.

And there are few questions left about the costliness of sitting idle: a 2019 study by the Ponemon Institute, sponsored by IBM, found the average cost of a data breach in Canada is $4.4 million, making it the fourth most costly location for a cyberattack in the world.

While cybersecurity is an issue that lies with many, if not all, members of the executive team, chief marketers should take a particular interest in it, says Wojtek Dabrowski, managing partner at Toronto-based Provident Communications.

“You cannot pretend that bad actors and hackers and people who are seeking to compromise the integrity of your company’s systems are just not part of the marketing conversation,” Dabrowski says. “It creates a really significant blind spot that can do a lot of harm to the organization that you represent.”

It’s for that reason that Provident Communications today announced a new collaboration with EY Canada and the Canadian division of law firm Norton Rose Fulbright – the first of its kind in the country and possibly the world, according to the firms – that provides a single, integrated source for cybersecurity, legal and crisis communications expertise.

In addition to offering services aimed at helping organizations prepare and respond to cybersecurity incidents, the three firms are developing a “strategic playbook” – which they will seek to patent – that can help boards and management teams respond to an emerging data breach.

Planning is a crucial element of the offering, because, as the research shows, few firms currently feel adequately prepared to address threats before they emerge, according to Dabrowski. This is particularly true from a reputation management perspective – brand campaigns and other marketing tactics, for example, do little to restore trust in a company whose consumer data has been compromised, he says.

“Taking a bit of preventive medicine before you’ve actually got a problem could be less painful long-term than trying to put the genie back in the bottle once trouble hits,” he says, “and that applies across all the dimensions that our collaboration covers.”

The offering comes at a time when the volume, variety and sophistication of cyberattacks is growing. In a release, Yogen Appalraju, national cybersecurity leader at EY Canada, noted new regulatory and compliance measures “have introduced additional complexity that impacts the ability of organizations to rapidly respond to threats.”

Recent GDPR regulations and updated PIPEDA laws are two examples of legislation that force companies to be more accountable with how they handle customer data and disclosures, adding new complexities to the process, according to Appalraju.

“The best example of [this] complexity is knowing exactly when to report a breach to the regulators,” Appalraju wrote in an email to strategy. “It’s not always obvious in a complex and sophisticated attack exactly what happened, what data was impacted and to what extent the data has been compromised. So while the organization is attempting to discover what happened, immediately mitigate the threat and contain the damage, they have to in parallel consider what obligations they have to report this event to the regulators.”

Over the last year, Dabrowski says there have been a “couple of really clear signals that this is reaching crisis proportions,” including a number of high profile incidents. According to the Office of the Privacy Commissioner of Canada, more than 28 million Canadians were affected by data breaches between November 2018 and November 2019, including those impacted by the incidents at Desjardins and Capital One.

But more than that, Dabrowski says the nature of the threat itself has evolved, which is why a more integrated offering that spans cybersecurity and data, litigation and reputation management is needed.

When cybersecurity first became an issue for organizations, bad actors typically sought to ransomware a company’s systems in exchange for money, he says. “Now it’s gotten to the point where cyber security is becoming tied up, increasingly, with other challenges that CEOs face.”

Today, he says, hackers might disagree with an organization’s stance on the environment and seek to infiltrate its system to shame into action. Others may threaten to comprise the personal information of a company’s customers with the sole purpose of getting it to divest its “vice” stocks. “It’s creating this sort of universe of challenges that’s coming to express itself as cyber security.”