Cyber attacks on Canadian organizations are surging, and the legal and governance frameworks companies rely on are struggling to keep pace. "We are in yet another wave of major attacks," says Adam Kardash, co-chair of Osler Hoskin & Harcourt LLP's national privacy and data management practice. Large-scale ransomware, data exfiltration, supply chain compromises, AI-assisted intrusions, and attacks on critical infrastructure are all simultaneously rising, he says, and the volume, scope and intensity of serious incidents hitting his practice is unlike anything he has seen before.
For organizations still treating cybersecurity as an IT problem, both Kardash and Travis Walker, a partner in the cybersecurity and data privacy group at Norton Rose Fulbright, say the reckoning is overdue. "These are enterprise organizational level risks and the governance really needs to reflect that," Walker says. That means board-level oversight, cross-functional accountability, and response plans that are regularly tested and updated. The board's role has evolved beyond asking whether someone in IT is keeping the company safe: directors need to understand how cyber risk intersects with every part of the business and satisfy themselves that management has the resources, policies, and processes to address it continuously.
Adam Kardash
Kardash frames the foundation similarly – information security governance, he says, is the non-negotiable starting point that must extend through the supply chain. "It's going to be a continuous battle for organizations across all sectors to deal with the evolving threat actor landscape," he says, adding that excellent governance, properly resourced and reported upward, is how organizations limit damage when an attack comes.
Data governance sits alongside information security as a companion discipline that warrants greater organizational focus. Kardash is direct about the connection, noting that the more data an organization holds and the longer it keeps it, the greater the attack surface it presents. Data retention failures, he notes, have been a feature in many of the largest incidents over the past 15 years – organizations discovering during a ransomware event that threat actors have exfiltrated records they did not even know they still held. Walker has seen the same pattern: clients facing notification obligations over decade-old data, exposed because no one had thought to destroy it.
Supply chain risk is where both lawyers see the most persistent and underestimated exposure. "You can have a huge spend on security and have the best tools and processes in place, but… it's a matter of who's the weakest link in the chain," Walker says. Third-party vendors who interface with an organization's network or underpin its operations are a difficult entry point to manage, and Walker points to a recurring problem: the contractual mechanisms or resources to audit vendor practices or compel disclosure during an incident are simply not in place. When an attack comes through a supplier, organizations often find themselves without the necessary levers, including inadequate liability caps and indemnity exclusions that leave the victim footing the bill.
Travis Walker
When a major incident does hit, the first call Kardash typically receives comes from a general counsel – usually on a Friday afternoon or over a weekend. From that point, external counsel typically becomes deeply embedded in the response, working with the client multiple times a day in the early stages. The most demanding aspect, in his experience, of the response effort for major data incidents is the communications: "Legal ends up playing an outsized role in ensuring consistency and appropriate communications tailored for the range of stakeholders" – regulators, employees, customers, and the public. Organizations that have navigated a serious incident before move more quickly; those that have not rely on external counsel to carry much more of the load, which is why Kardash stresses the value of building those relationships before a crisis hits. Getting outside counsel and forensic firms familiar with the company in advance – not just placing them on a roster – makes a material difference when the call comes on a Friday.
Cyber insurance has become a standard part of the incident response ecosystem, but the relationship between insurer and policyholder during an active incident is not always straightforward. Walker describes a dynamic that has matured considerably: insurers now ask detailed questions about security controls at the application stage, reflecting a far deeper understanding of risk than existed a few years ago. When a claim is triggered, the insurer needs information to assess exposure and set reserves, and that creates tension that external counsel must navigate. Experienced counsel understands what insurers need to adjudicate a claim and can help facilitate that process without inadvertently harming the client's position. The sanctions check required before any ransom payment is one area where insurer and policyholder interests align directly: if the policy covers extortion payments, the insurer needs to satisfy itself that the payment does not involve a sanctioned party just as much as the organization does.
Privilege protection is a threshold issue that must be addressed at the outset of a response, not retrofitted later. Walker points to the LifeLabs, 2024 ONSC 2194 (Div Ct) case – in which the court upheld the Information and Privacy Commissioner's finding that a forensic report was not privileged – as a ruling that sent a shockwave through the legal community. His reading of the case is that it did not fundamentally change the law but clarified that privilege is not automatic. Facts are not privileged; only legal advice, which can include information from experts enabling that advice, and communications made in anticipation of litigation, are protected. "It's not just as simple as saying… a lawyer commissioned this report, it's automatically privileged," Walker says. Structure matters: who retained the forensic firm, who receives the work product, and whether the investigation was genuinely directed toward obtaining legal advice or was simply the ordinary course of getting systems back online. In multi-party supply chain incidents, a common-interest privilege agreement can allow organizations and their insurers to share privileged information without waiving protection, provided their legal interests remain aligned – though Walker cautions that if the relationship turns adversarial, that protection may not hold.
Ransom payment decisions carry legal dimensions that many organizations do not anticipate. Walker notes that while data suggests the number of payments is declining – a sign of improved preparedness and resilience – organizations in operationally critical situations sometimes have little choice. Threat actors now routinely combine system encryption with data theft, threatening to publish stolen information as a secondary form of extortion, even for organizations that can restore from backups. A sanctions check is mandatory before any payment proceeds: paying a ransom to a sanctioned individual, entity, or country is illegal, and both the organization and its insurer must verify this. "These are criminals that you're dealing with," Walker says, and legal obligations from the incident apply regardless of any assurances the threat actor provides.
On the regulatory and policy horizon, both lawyers are watching a set of bills that could make the second half of 2026 significant for Canadian organizations. Reintroduced federal critical infrastructure cybersecurity legislation is moving through Parliament and will impose supply chain obligations on technology companies that supply regulated sectors, even if they do not fall directly under the act. Federal privacy reform remains pending, with the existing legislation now more than 25 years old. A lawful access bill drawing scrutiny from technology companies – with provisions on metadata retention and what some privacy advocates say are encryption backdoors – adds further complexity. The federal government's long-awaited national AI strategy is also expected imminently. Walker's advice to clients is to prepare: "As this stuff gets tabled, start planning now."