Who Bears the Loss When a Cybercrimal Diverts Funds?

The Issue

What happens when two innocent parties to a settlement agreement are victims of cybercrime resulting in settlement funds being misdirected to a fraudster? The recent Ontario Small Claims Court decision St. Lawrence Test & Inspection Co. Ltd v. Lanark Leeds Distribution Ltd. And Mark Schokking, 2019 CanLII 69697 (ON SCSM) (“St. Lawrence“) considered this issue. As Kelford, DJ succinctly states:

The Plaintiff and Defendant were both innocent victims of a “cybercrime” which resulted in the loss of funds which were paid by the Defendants to settle the Plaintiff’s claim. Both parties are innocent. Unfortunately, one of them must bear the loss.

Read More

OSFI Advisory Requiring Cyber Incidents be Reported Within 72 Hours Effective March 31, 2019

On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published an Advisory setting out new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cybersecurity incidents within 72 hours of determining the incident is reportable.  These new reporting requirements become effective on March 31, 2019.

The Advisory adds mandatory reporting requirements to OSFI’s  2013 Cyber Security Self-Assessment Guidance. The Advisory sets out when FRFIs must disclose cybersecurity incidents to OSFI and provides details of the required content of the disclosures. It is part of a constellation of efforts by OSFI to require FRFIs to address technology and cybersecurity incidents in a timely and effective manner.

Read More

New York Department of Financial Services Cybersecurity Regulation Requirements Applicable to Third Parties Now in Effect

With March comes Spring – and the full force and effect of the Cybersecurity Regulation of the New York Department of Financial Services (“NYDFS”). This includes requirements relating to Third Party Service Providers (e.g., vendors, suppliers, agents – the term Third Party Service Providers is defined in the Regulations). Canadian companies and financial service providers may be caught by these and other provisions of the Regulations and should review the applicability of these recently-in-force provisions.

The Regulation was first promulgated on March 1, 2017 and required banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (called Covered Entities in the Regulation) to comply with what some characterized as fairly onerous cybersecurity and data security requirements.

Read More