Eighty-five per cent of Companies not Ready for Cyber Breach, According to Financial Executives

Eighty-five per cent of Companies not Ready for Cyber Breach, According to Financial Executives

FEI Canada survey finds 98 per cent of executives are concerned about a breach, yet only 15 per cent are prepared

TORONTO, November 25, 2019: A survey conducted by Financial Executives International Canada (FEI Canada) among financial executives reveals organizations are not prepared to respond to a cyber breach that could significantly affect their operations. While 98 per cent of participants are concerned about a cyber breach, only 15 per cent have sufficient preparations in place in three critical areas of readiness:

  1. Legal
  2. Crisis communications
  3. Cyber insurance

Participants responded to survey questions on these three areas and were then given a risk score for each as well as an overall risk level for their organization.

“The results have shown that 34 per cent of organizations have been subject to a breach in the last five years,” said Catherine Fels-Smith, president of FEI Canada. “Organizations and their executives need to take control of their cyber breach preparation or risk significant damage that goes beyond data privacy.”

Key Findings

The results uncovered a significant disconnect between financial executives’ understanding and the reality of their organization’s current cyber preparedness.

  • Organizations not reviewing their cyber security risks. Results showed that 55 per cent of organizations have not conducted a cyber security risk assessment in the last 12 months while 59 per cent do not test their plan annually
  • Organizations not preparing across areas. When considering a cyber breach, 72 per cent do not have a cross-functional breach response team established
  • Response teams are not adequately trained. A concerning 75 per cent do not run breach response exercises or training for their critical response team.
  • Small businesses least likely to be prepared. Businesses with less than 99 employees scored the lowest on readiness, with only four per cent prepared in legal, communications and insurance

In the three critical areas of response readiness, the survey found:

  • 51 per cent do not have external legal counsel for support in the event of a breach.
  • 45 per cent do not have a crisis communications plan and only 20 per cent are currently developing one.
  • 35 per cent do not have cyber insurance and 10 per cent don’t know whether they have it.


In the event of a cyber breach, 51 per cent of participants do not have external legal counsel for support. Furthermore, 64 per cent of organizations do not conduct any due diligence on their suppliers or vendors while only 23 per cent say they do, safeguarding good cyber hygiene from third parties.

Does your organization conduct due diligence on its vendors to make sure they follow good cyber hygiene?

“Third-party vendors and suppliers are a frequent point of entry for hackers, so performing your due diligence on them is extremely important,” said Imran Ahmad, partner at the law firm Blake, Cassels & Graydon LLP. “Should a cyber breach occur, it is crucial for organizations to understand which laws and regulations apply to them, either within Canada or globally.”

Crisis Communications

While 62 per cent said their organization has the internal resources to handle communications in the event of a breach, only 27 per cent have prepared a crisis communications plan and 75 per cent have only a general communications plan or no plan at all.

Does your organization run data breach response training/exercises?


Yes, more than once a year Yes, annually Yes, on ad hoc basis No training / exercises I don’t know
Crisis Response Team 4% 2% 12% 75% 7%
Senior Leadership 2% 2% 11% 78% 7%
Board of Directors 1% 0% 4% 86% 9%

“If forced to respond to a breach within 30 to 60 minutes, only 26 per cent said they could successfully deliver,” remarked Anne Lachance, managing partner and president at Kaiser Lachance Communications. “So, although participants may feel their organization’s internal communications team can handle a crisis in the event of a breach, the stark reality is that they are not prepared.”


While 82 per cent of participants noted they have firewalls and anti-virus software that automatically update, 25 per cent noted they did not have a software or critical patch update policy and 41 per cent did not know. These are often relatively standard security protections which could be identified as conditions to obtain insurance coverage.  Furthermore, only 55 per cent of participants with cyber insurance stated that they had identified external legal counsel that can assist them in a cyber incident.

“A stand-alone cyber policy assigns external legal counsel to act as a breach coach on the client’s behalf and is a key component of preparedness, should a breach occur,” said Greg Markell, president at Ridge Canada. “The study results reiterate the importance of clients being properly educated on their policy in order to activate and notice the policy accordingly, especially in a high stress situation. Executing on a plan becomes paramount.”

Reinforce Readiness

All executives – including those in financial roles – need to proactively and effectively prepare themselves and their organizations for a cyber breach. Organizations should consider the following tips on best practices:

  1. Establish a cross functional breach response team
  2. Always perform due diligence on key outside vendors
  3. Prepare both an external and internal crisis communications plan, including designated spokespeople, points of contact for media, employees and stakeholders, and response plans for each role
  4. Clearly identify the information the organization holds, including where and how
  5. Update the cross-functional breach response plan every six to 12 months, including crisis simulation exercises for the response teams


This survey was conducted among FEI Canada’s network of members and stakeholders. The survey consisted of 43 questions, separated into three categories for assessments on legal, insurance and crisis communications readiness. Participants received a score for each section and overall assessment of their organization’s cyber breach readiness, tabulated from each participant’s answers.

This survey was developed in partnership with Blake, Cassels & Graydon LLP, Kaiser Lachance Communications and Ridge Canada, and is the first of its iteration. The group will continue to collect responses on this matter and share findings.

Take the survey to find out your readiness score: FEI Canada – Cyber Vulnerability Assessment

About FEI Canada

Financial Executives International Canada (FEI Canada) is a leading industry association for senior financial executives. With 12 chapters and 1,600+ members, FEI Canada provides professional development, networking opportunities, thought leadership and advocacy services to its members. www.feicanada.org

About Blake, Cassels & Graydon LLP

Blake, Cassels & Graydon LLP (Blakes) provides exceptional legal services to leading businesses in Canada and around the world.  Our integrated network of offices worldwide provides clients with access to the Firm’s full spectrum of capabilities in virtually every area of business law. www.blakes.com

About Kaiser Lachance Communications

Kaiser Lachance Communications Inc. is a full-service communications firm with offices in Toronto and Montreal. We offer strategic and integrated communications services with an emphasis on corporate, marketing and financial communications. www.kaiserlachance.com

 About Ridge Canada

Ridge Canada is a managing general agency co-founded by Secretary Tom Ridge, the first Secretary of Homeland Security, that deals exclusively with Canadian insurance brokers on cyber and privacy related risks. Ridge helps their clients understand, evaluate, and secure cyber insurance coverage tailored to their business. www.ridgecanada.insure

– 30 –