• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Risk management in a digital world – Addressing cyber-security threats at the board level

By Occasional Contributors | 3 Minutes Read January 30, 2015

Risk management in a digital world – Addressing cyber-security threats at the board level

By Adam Kardash, Shawn Irving, Carly Fidler and Carey O’Connor
The role of the Board of Directors has necessarily adapted to include an increased focus on risk management. In our digital world, cyber-attacks are now a pervasive risk and the perceived lack of board oversight has garnered scrutiny by consumers, regulators, legislators, litigants and the media.
News headlines in 2013 and 2014 underscore that the frequency and magnitude of cyber-attacks is greater than ever. Large scale cyber-attacks have left corporate victims scrambling to remedy their financial and reputational injury. Over the past number of months, a number of high-profile examples of security breaches – including the release of millions of customers’ credit card information and email addresses – have appeared on front pages in newspapers around the world. It is clear this issue affects both private and public companies and can dramatically impact the integrity of the capital markets. The cost to remedy a cyber-attack can easily run into the millions of dollars, not to mention the reputational cost and threat of litigation, which are far more difficult to quantify.

Risk of class action litigation from cyber attacks

In Ontario, several class actions have been certified or partially certified, where the alleged wrong is premised on the collection and subsequent loss of customer information.
In Evans v. Bank of Nova Scotia, a bank employee provided his customers’ confidential information to his girlfriend, who used it to commit identity theft. The affected bank clients are now suing the employee and the bank.
In Condon v. Canada, the Ministry of Human Resources and Skills Development Canada lost a hard drive that contained the names, birthdays, addresses, student loan balances and SINs of 583,000 people. An action was commenced against the Ministry. Over the summer of 2014, the action was partially certified based on breach of contract and the tort of intrusion on seclusion.
These class proceedings are in early stages, and they serve as examples of the risk of collection of electronic customer information.

Third parties holding data is not immunization from risk

In the age of electronic commerce, it is not uncommon for third parties to hold information about a company’s clients. In 2013, the Canadian Securities Administrators announced that it was launching an investigation into the Investment Industry Regulatory Organization of Canada (IIROC) after one of its staff members lost a portable device containing information about investment dealer clients.
The confidential information pertained to IIROC member firms, but was possessed by IIROC. The IIROC example illustrates that companies are not immune to risk if their customer data is possessed by a third party. Indeed, providing information to a third party can increase the risk.

The risk to boards of directors

Despite the high-profile examples of the costly impact of cyber-security breaches, a survey issued in 2012 by Carnegie Mellon University CyLab suggests that many boards are not actively addressing cyber risk management, including insisting upon and reviewing security program assessments and policies, reviewing budgets, delegating responsibilities for privacy and security, and being informed regularly of breaches and new risks. Not only does this leave a company exposed, but it also leaves a board exposed to potential shareholder activism.
Boards can minimize their chance of crisis and reduce corporate and director exposure by overseeing the risk management process and ensuring their companies have a clear response plan in the event of a cyber-attack. In a recent speech on the topic, Luis A. Aguilar, a Commissioner of the U.S. Securities and Exchange Commission (SEC), outlined that Boards should, at a minimum, have a clear understanding of who has the primary responsibility for cyber-security risk oversight and ensuring the adequacy of the risk management practices. He also recommended the creation of a separate enterprise risk committee on the board, mandatory cyber-education and regular reporting to the board. Boards should also consider obtaining cyber insurance coverage. A company’s response after a breach of security is just as important as a preventative plan. Boards should ensure that management has a deliberate response plan consistent with best practices for the industry and the goals of the company.
Another key development is the move toward potentially enhanced disclosure requirements for cyber-security risks and practices. The Canadian Securities Administrators suggest that issuers should consider whether the cyber-security risks they face, any cyber-security incidents they may experience, and any controls they have in place to address these risks, are matters that need to be disclosed in a prospectus or a continuous disclosure filing. The SEC has made similar suggestions for U.S. public issuers.
As cyber-attacks become more frequent and more sophisticated, the need for a proactive strategy has never been more important. Directors should make themselves aware of their company’s policies for protection of confidential information, and work to ensure that their policies follow the best practices in the industry. Directors and officers should also ensure that there is adequate liability insurance coverage in the event of a cyber attack.
Republished with permission from Osler, Hoskin & Harcourt LLP

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022
  • Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Not for Profit, Privacy / Canadian Securities Administrators, confidential information, cyber risk management, cyber-attacks, cyber-security breaches, cyber-security threats, disclosure requirements for cyber-security risks, identity theft, Investment Industry Regulatory Organization of Canada, liability insurance coverage, loss of customer information, portable device containing information about investment dealer clients, Risk management in a digital world, Risk of class action litigation, risk of collection of electronic customer information, security program assessments and policies, the age of electronic commerce, tort of intrusion on seclusion

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy