and In a recent announcement, the Canadian federal Privacy Commissioner of Canada (“OPC”) released a report containing recommendations on how AI should be treated under Canadian privacy law, and what protections need to be in place to ensure AI applications reach their potential without negatively impacting privacy rights of Canadians. The report entitled “A Regulatory Framework for AI: Recommendations for PIPEDA Reform” is the result of the consultations with stakeholders earlier, as discussed in our previous blog article, earlier in the year. The Commissioner received 86 submissions and held two in-person consultations.
Almost concurrently, on November 16, 2020, the federal government announced a tabling of legislation that will overhaul Canadian privacy law, namely, Bill C-11, “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.” We reported on Bill C-11 and the proposed replacement of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), being the Consumer Privacy Protection Act, in our first article in a series on the potential impact of Bill C-11. The Commissioner released a statement shortly after Bill C-11 was announced, commending many of the proposed changes, such as increased enforcement and order-making powers, but Commissioner Therrien also voiced significant concerns. In particular, the OPC is concerned with how the new law does not place privacy rights in the context of individual and human rights and fails to entrench it as such in the proposed Bill C-11.

This article was written by Myron Mallia-Dare and David Krebs from Miller Thompson LLP and published in Lexology on December 7, 2020. Myron is an advisor to the CRTA.

​In the final blog of our Cyber Series, in partnership with Cube Global Vignesh Krishnamoorthy, explores the third-party risks presented by the ‘new normal’.

Work from anywhere. Cyber everywhere.
The COVID-19 pandemic forced business leaders worldwide to respond with unprecedented speed and efficiency to the new ways of working,  innovating, responding, collaborating, transacting… and surviving. Now, as organizations begin to plan for a post-pandemic world, they must ask themselves, “how can we make new ways of work productive, sustainable, secure, and safe?”

As COVID-19 spread from person-to-person, country to country, and beyond, Cyber delivered the integrity and availability of the networks needed to “work from anywhere” and the confidentiality to transact and transform with confidence across geographies.  For the world to continue to thrive in this new remote and virtual environment, even as COVID-19 wanes and surges in various regions, organizations will need to:

• Establish a foundation of trust,
• Adopt a “Cyber Everywhere” mindset,
• Embrace a culture of perpetual resilience,
• And lead from the front.

Many organizations already have determined they will never return to “business as usual” or “business before COVID” because they have seen increased productivity from allowing employees to work from home and they want to lock in those benefits. However, to thrive in this next normal, organizations need a sound strategy for managing Cyber risk. A “Cyber Everywhere” mindset is required. It means understanding the pervasiveness of Cyber and meaningfully embedding it in innovation, strategy, and process to ensure that Cyber enables the success of every initiative, allowing organizations to move more quickly, effectively, and securely.

Within every industry, organizations face challenges to both support their remote workforce and rapidly adopt online services and customer support channels. To address these challenges, organizations may now rely more on suppliers that provide remote access technologies or support essential services. However, the supply chain also introduces increased risk to these organizations as they serve as an extension of their operations.

Organizations need to understand the full landscape of risk third parties pose including, but not limited to, reputation, business continuity, financial viability, and privacy. From a Cyber risk specific lens, suppliers that lack the appropriate security controls for remote work expose their clients to Cyber-attacks that could compromise data or create system downtime, resulting in operational disruption and financial loss.

To reduce risk exposure from the supply chain, organizations must enhance existing risk frameworks to assess suppliers from a remote risk perspective. Clients should focus on the following three principles to ensure risks in their supply chain are effectively mitigated.

1. Identify and re-prioritize critical suppliers.
   The massive shift towards remote working requires organizations to prioritize suppliers that have a direct connection into their environment or provide a critical process for their operations. Suppliers that connect directly to any infrastructure should be assessed to verify that their security controls protect their remote workforce and do not create any additional risks for the organization. The suppliers an organization may have de-prioritized due to the lack of strong organizational controls may now be at higher risk as those controls are no longer enforceable and controlled by the parent organization.
2. Accelerate the review of critical suppliers.
   With the changing risk landscape post-COVID-19 – organizations have accepted a degree of risk with the shift to employers and suppliers remotely working from home.  It is recommended that organizations accelerate the review of these critical suppliers. Focus and priority should be put on suppliers at the top of the revised prioritized risk ranking as this will help the organization get a more accurate view of its supplier risk.  This would also be a good time to catch up on the backlog of suppliers that may not have been assessed in a timely manner – particularly if they have been prioritized as a higher risk.
3. Enhance the supplier risk frameworks.
   Organizations should anticipate key entities within their supply chain establishing a permanent remote working environment as organizations observe continued productivity and lowered costs. Through its key clientele in all key industries, Deloitte anticipates a shift towards permanent remote working for a majority of the organization’s employees. Organizations can use the shift towards remote working as an opportunity to enhance their supplier risk frameworks and establish a methodology that considers risk associated with remote working at the forefront. In doing so, they can take a proactive approach to their risk management by anticipating a future state of work where the majority operate remotely.

Accelerating security imperatives of the future

As we are experiencing changes in our societal values, how businesses operate, and what customers demand, many leaders are thinking about the longer-term impacts of the pandemic and how their organization can achieve results in the future. In this new reality, organizations will serve customers differently, engage their workforce through evolving delivery/employment models, and face an increasingly complex threat landscape – and businesses have the opportunity to use cyber as a strategic differentiator to create a resilient enterprise of the future.

Ask the experts​ On 25th August, the CRTA and CUBE will be hosting an audience-led roundtable discussing the new normal for cyber.

1. Register for the roundtable
   If you’ve got a question for Vignesh or any of the other experts, please use the link below to submit it.
   Ask a question

​
​As an International Web Scientist, I can tell you that by the end of 2019 over 50% of the world was online, over 4 billion people. The global online community has been increasing approximately 10% per year since 2005. The world wide web is a fabric of permanence which technology has been leveraging to connect the world, the so-called globalisation of our society. This technical revolution has benefited every connected person based on their use of the technology. However, it has its dark side.

Based on an IBM survey, 77% of all organisations are not prepared for a Cyber Crisis. Insider threat is still a real risk, and we have come to associate this risk with exposure of personal data.

Based on 2019 data exposure report, 69% of companies admit that employees and contractors were the source of the leaks, obviously these were not predominantly malicious.
​
As part of the ITU survey for 2019, in 40 of the 84 of the countries less than 50% of the population has basic computer skills. It may surprise you to know that basic digital skills were considered by ITU to be whether staff could copy files or use email.

On May 20th, 2020, the CRTA hosted the third session of our Spring Webinar Series entitled: Instilling Trust Through Sound Data Governances Practices



Moderated by:

• Vivek Bhanot, Vice President, Head of Data Management & Analytics, Paradigm Quest

Featured panelists:

• Laila Paszti, Technology and Privacy Lawyer, Norton Rose Fulbright
• Keith Jansa, Executive Director, CIO Strategy Council
• Ajinkya Kulkarni, Senior Director – AI Strategy, Royal Bank of Canada

With data at the nexus of digital transformation efforts that are taking place across a wide spectrum of public and private sector organizations, a scalable and sustainable approach to data governance is crucial for success. The diverse composition of backgrounds and experiences from our subject matter experts made for a thought-provoking and highly informative conversation from which I’ll highlight two key themes that emerged:

Moderated by: Doron Telem, National Leader, Risk Consulting, KPMG

• Paul Finlay, Machine Learning Lead, Trustworthy AI, Xanadu.ai
• Jessie Lamontagne, Data Science and Model Innovation, Scotiabank
• Steve Sweetman, Principal Program Manager, Ethics and Society, Microsoft

 
Are we ready for the power of AI?  Is it still a tool that’s too complex, too perplexing to give agency to and implement in professional environments? We know it’s already running in the background of our daily lives, collecting and analyzing, predicting and tailoring, but how do we decipher the mystery and realize its potential?
 
We’re now producing a massive amount of data, making it increasingly difficult and unwise to analyze and model using traditional approaches.  We are at a decision point.  The advent of artificial intelligence and machine learning presents us with tools with limitless potential to solve increasingly complex problems.  It also presents us with unique risks.  Understanding these risks is a step towards better utilization.  Recently, 3 drivers in the implementation of AI were discussed at a session presented by the Canadian Regulatory Technology Association.

On May 13, 2020, we hosted the first session of our Spring Webinar Series – Conquering the Complexity – Managing Third-Party Risk
 
Myron Mallia-Dare, a technology and business lawyer from Miller Thomson, led this timely, informative discussion with:

• Ally Karmali, Associate Partner, Practice Lead, Risk and Compliance, IBM
• Justin Muscolino, Head of North America Compliance Training, GRC Solutions (Pty) Ltd.
• Riley Tighe, Product Manager, IT Risk, Resolver Inc.

 
This event will be available for replay on June 2, 2020 at 4pm.  To Register 

Highlights
While artificial intelligence (AI), blockchain and other emerging technologies are bringing new risks and new third parties to the table, both risks and vendors have taken on increased importance due to COVID-19.  Some new risks are temporary, some permanent.  COVID-19 may increase the adoption of third-party solutions but may also bring new scrutiny to them.
 
The new COVID-19 world puts third-party-, enterprise- and business-continuity risk-management programs in the limelight and has exposed holes in programs that might not otherwise have been identified.  Firms are at different levels of maturity when it comes to these programs.  Those at the forefront are already re-evaluating and making plans to reset; they are going back to basics to ensure that the very foundation of their programs is strong, reflecting on what is a critical vendor, levels of risk, and so on.  They are working to identify and address future risks that may arise from COVID-19 and what we have learned from it.

One of the positive outcomes emerging from the COVID-19 pandemic is the dramatic improvement in air quality the world has observed from reduced fuel emissions and air- and water pollution.  Within weeks of India imposing its nationwide curfew, the Himalayan Mountains could be seen clearly from as far as 200 km away for the first time in 30 years; satellite images show a dramatic change in the clarity of the Venice lagoons, with fish once again visible in the canals.   And the reduction in harmful gases (carbon dioxide and carbon monoxide) in dense urban centres like Manhattan, Seoul and Wuhan are projected to have positive health benefits (potentially resulting in fewer premature deaths) for those most vulnerable to respiratory illness. 

While these are all encouraging signs, experts are quick to warn that behavioural changes from the global lockdown are not a long-term solution to the impact of climate change on our environment.  Many expect these benefits will disappear quickly once the economy re-opens, which calls into question whether this is a pivotal point for the world to consider how re-entry should be designed.  To continue the momentum that this unprecedented crisis has kick-started (the ‘silver-lining’ as it were) scientists, government and business are calling for a thoughtful approach to re-entry that takes a longer-term view of climate change.  This was also the view expressed by Bill Gates last month in his observation about how encouraged he is at the thought of “innovation and science and the world working together” to address climate change.  

At this pivotal juncture, corporations should consider what role they wish to play to support these measures.  While changes in public behaviour may continue to have positive influences as the world adjusts to our new “normal” until such time as a vaccine is developed (e.g. continued reduction in harmful air pollutants from less road and air travel), the opportunity to leverage the world’s consciousness about climate change has never been greater.    For corporations searching for the next strategic opportunity for investors, channeling both intellectual and financial capital towards initiatives with the potential to influence change could be the salve the world needs right now – the hope for our future and for that of generations to come.  Investing in technology to better support carbon capture, renewable power generation, new agriculture strategies and cleaner modes of transportation are opportunities that have never been put in the spotlight as clearly as they have as a result of COVID-19. 
​
If there is an opportunity to be gained from this global crisis, it is one where collaboration amongst government, scientists and investors could reap great benefits for climate change through greater enablement of clean technology solutions.   

Written by Sylvia McGratten
Strategic Advisor, Canadian Regulatory Technology Association 

 

With the first quarter of 2020 coming to a close, there is a growing and almost universal sentiment that we would all like a redo on the year. As they say, hindsight is 20-20 (no pun intended) but it would have been nice to have had better foresight into how best to deal with the operational issues and risks that firms are facing right now.

Many, if not all, financial institutions (FIs) have enacted a variety of measures to minimize the spread of the COVID-19 virus and the Canadian FIs are all working diligently and in concert with other global banks to formulate and implement strategies to mitigate the spread of COVID-19, while still maintaining sales and trading activity and all associated operational procedures.

​So what exactly are firms doing?