Imran Amhad is a Co-chair of the Cybersecurity & the Law Program at the Catalyst. He is Partner at Norton Rose Fulbright (Canada) LLP where he leads the technology practice and Co-Chairs the Data Protection, Privacy and Cybersecurity practice. As part of his cybersecurity practice, he works closely with clients to develop and implement practical strategies related to cyber threats and data breaches. He also advises on legal risk assessments, compliance, due diligence and risk allocation advice, security, and data breach incident preparedness and response. Imran authored Canada’s first legal incident preparation and response handbook titled Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management (LexisNexis, August 2017). He has an active technology and privacy practice.
From contracts to crisis
Imran’s interest in cybersecurity law developed unexpectedly. 15 years ago, cyber wasn’t yet on everybody’s mind. Imran was doing contracts for clients when a cybersecurity breach happened. The client was a franchise model opening their first corporate location in Canada and Imran didn’t have experience in the area. They called him and asked him what to do. “It was the first time that I saw the intersection between law and business and the crisis that was going on,” he said.
Early on, Imran found his niche with cybersecurity law. It was a team sport. It was also an adrenaline rush, with high intensity within a short period of time. “You didn’t have a week or a month, you didn’t have time to write a formal memo. Decisions had to be made very, very quickly. That drew me to cyber.”
Knowledge from the ground up
Once he established his interest, there was both an immediate and ongoing learning curve. Imran identified gaps in his knowledge and sought counsel. For instance, given that he was a tech lawyer, not a forensic investigator, he called many forensic firms and inquired about how they conducted investigations. He toured digital forensic labs, and he leaned on experts to build his understanding. He also met with a ton of lawyers who were practicing in this area long before him, and he read a lot of articles and books. “Primarily, I was self-taught,” he says.
The moment cyber hit the headlines
For years, according to Imran, there wasn’t a lot of activity. There was even the thought of, why is this even an area? There was no Cybersecurity Act and Canada didn’t have a lot of journalists covering the cybersecurity beat, so it wasn’t something that was really front and centre. Then three major American companies got hit with a cyberattack, and the game changed. Target, Sony, and Home Depot were all in the press. It wasn’t just that they had a breach: their senior executives were being asked extremely difficult questions by Congress or other folks. Suddenly, it was an enterprise risk management issue, as opposed to solely an IT issue. Litigation ensued.
Breaking down OT and IT
Imran breaks down key buzzwords in the industry, starting with Operational Technology (OT). OT is more operational; it’s more administrative. Imran gives the example of an electricity company in the simplest terms. The aim is to distribute electricity, and your OT is a distribution network. It’s the system that distributes the actual electricity. When it comes to IT, the function would be more like following up on an invoice payment. Years ago, there was a separation between OT and IT, but now, each is dependent on internet access, which makes them interconnected.
We’re seeing more issues for utilities or critical infrastructures that are using OT, which historically were separated, now being a prime target for state sponsored attacks. And that’s not a one off. We’re seeing that across the board. In particular, over the last three years, as we’ve all seen, the geopolitical situation in the world is more unstable.
From the boardroom to the front lines
On the enterprise risk management front, Imran explains things through a diagram he is particularly fond of within the NIST cybersecurity framework. Senior leadership and the board sit on top, then there are the middle folks who tend to be more operations and the frontline staff members. There’s an arrow that goes all the way up on one side and an arrow that goes all the way down on the other side. “I found that super interesting because enterprise risk management is not just the IT department’s responsibility,” he says. “It’s not just the front-line employees who have to deal with it; it starts from the top but it trickles down to the support of the frontline.”
In simplest terms, enterprise risk management is the overall management of the risk within an organization. In the case of a cybersecurity incident, the organization has to assess the impact of their operations being down. They won’t be able to put out their product or services for a period of time. The net loss then comes into play. It’s not only opportunity and revenue, but also the additional capital and expenditures that must occur after the fact because stakeholders are demanding it. And aside from the risks of being sued or having to do a settlement, etc., there is the reputational impact. “If you’ve lost the trust of your key business partners or consumers, are you going to be a reliable brand?” he says.
Even today, when you ask me the question, was there a turning point? I gave you the example of three companies. And those three companies are still, across the board, identified with those breaches at any cyber conference. So those things matter.
A risk to a telecommunications firm is very different from an auto parts manufacturer. Some auto parts manufacturers could go down for a week, or two weeks, or three weeks; nobody would notice it. A telecom company went down for one hour, everybody would notice it. So very different risk and risk management strategies have to be applied for that.
A key challenge in cybersecurity is breaking things down conceptually. “It’s a different world, right?” says Imran. “We talk about criminals and hackers and people behind computer screens, not like a flood or a fire that people can easily identify in their head.” The specifics are even more complicated, for instance, discerning ransomware versus data theft. Imran comments that when people think of cybersecurity breaches, generally, they think of a young person sitting behind a computer, wearing a hoodie, and trying to break into the system. While that does happen, it’s not the majority. These are a highly sophisticated, mostly criminal group.
Finding potential in a moving target
Imran advises organizations to prepare, prepare all the time. But he quickly offers the caveat that it’s a balancing act. He says, “You want to be prepared but you don’t want to be scripted. Because if you’re scripted, that means you have a scenario in mind.”
This brings on the question: what happens if you don’t deal with that particular scenario? There can be a nuance of change. He tells his clients the cyberattacks are constantly changing. “It’s a dynamic risk, not static.” Again, he uses the comparison of a flood or a fire. “A flood is a flood and a fire is a fire, same story.” But there are so many variations of a cyberattack. He points out that a ransomware attack in 2025 is very different from what you would have seen in 2020 or 2015, so you need to have this planning in place. This is why tabletop exercises are recommended cyber simulations that are performed annually year after year. With staff turnover and a constantly evolving threat landscape, it’s essential to tune up.
For students of the Cyber & the Law program, Imran believes it’s an exciting time. “There’s a lot coming through; the sky’s the limit. Young people can literally shape and mold the industry with their contribution.”
Two things strike Imran about the program: One is the instructors; and the other is the students. These are instructors who have very good experience. Imran advises that students talk to instructors with a focus on gaining their insights. “The caliber of practitioners is fantastic,” he says. In combination with tremendous staff, he believes that the student selection at the Catalyst is exceptional. “These are not just students sitting and listening,” he says. “These are students who are actively participating and engaged.”
Imran’s perspective highlights how cybersecurity law has shifted from a niche concern to a core business issue. His approach — practical, adaptive, and grounded in collaboration — offers a clear view of what effective leadership in this space looks like. Imran has an optimistic outlook on the future of cyber and thinks the opportunity for young professionals is unmatched.
There are very few industries where, if you join and you contribute meaningfully at a very junior level, could you actually shape the industry and cyber?
