Cybersecurity Is Also a Question of Governance
While until quite recently the security of information technology infrastructures was dealt with by a corporate IT team, today every organization knows that cyber threats constitute a major risk that senior management must monitor closely.
Cybersecurity issues go beyond the realm of technology. They now impact the way enterprises operate, make decisions, plan for the future and shape their strategic vision. It must be borne in mind that threats of this nature are legion, be they from organized crime to activist movements, or are coming from corporate insiders, or outside hackers acting alone or working in groups, often for financial gain but sometimes also without any particular motivation other than being disruptive. These individuals are often acting outside the territorial jurisdiction of the targeted enterprise.
In addition to senior management, the members of an organization’s board of directors must take concrete steps to attempt to counter major risks of this kind that could impact the organization. They too must therefore be fully up to speed on the economic, operational, reputational and legal issues involved.1 And while many boards of directors have lawyers, accountants or human resources specialists, as members, very few have directors who are specialists in IT and/or cybersecurity.
It is thus essential that directors acquire a basic mastery of the key elements associated with cybersecurity:
i) their organization’s IT assets;2
ii) information governance procedures;
iii) the internal allocation of responsibilities for applying cybersecurity measures;
iv) the broad outlines of the technological architecture (internal and cloud-based application infrastructures and environments, service providers involved) and the types of portable equipment;
v) the legal environment, including obligations to maintain the confidentiality, integrity and accessibility/availability of data.3
Governance procedures relating to cybersecurity issues can be broken down into four categories that must be closely scrutinized by directors:
i) the corporate technological structure, including the protective measures in place;
ii) how information is managed, i.e. what is stored, where, for how long, who has access to it, the degree of sensitivity of certain information, level of risk tolerance, etc.;
iii) availability and frequency of training programs for employees and managers;
iv) cybersecurity governance policies, programs or other internal regulations.
Because of the increasingly elevated risks associated with cybersecurity, it is highly recommended to obtain an external opinion on all of these aspects, in order to ensure that the organization has an adequate cybersecurity system in place, including a monitoring function to identify threats and vulnerabilities and to gauge the evolution of security tools and mechanisms. Merely installing a security system whose effectiveness has not been determined or adapted to the organization’s needs could be perceived as a lack of diligence on the part of the directors who would not have been sufficiently concerned for existing risks. Such diligence and concern are necessary not only because the degree of risk can vary significantly from one organization to the next, but also because of technological changes that are occurring at an extremely fast pace, requiring constant vigilance. Among these risks are the loss or theft of data, inability to access data, potential business interruption, alteration or destruction of data, disclosure or publication of private data, as well as the risk of ensuing lawsuits or penal sanctions resulting from these risks – not to mention reputational damage and loss of market share.4
In the same vein, it is essential that the board of directors be fully aware of existing incident-management measures and ensure that they are tested through regular audits that take into account the rapidity of technological developments and the evolution of the cyber-environment and applicable laws and regulations.
Once the board of directors has identified and fully understood the potential risks, the directors have the obligation to define their expectations regarding the appropriate measures to put in place in order to respond to their concerns. Clear and well-defined policies reflecting these expectations must be implemented and followed. In certain cases, sanctions for not doing so should also be provided for.
In conclusion, while cyber-risks are now of near universal concern, boards of directors in particular must ensure that they have the necessary competencies and relevant information to help their organizations counter them. And if your board does not include directors who are experts in this area, you should seriously consider consulting external experts. You should also note that the authors of this article offer training sessions that can be tailored to the specific needs of the groups they are addressing, be they the organization’s directors and officers or some or all of its employees.
|Danielle Ferron, Ad. E., is a partner at Langlois lawyers specializing in civil and commercial litigation, an area she has worked in for over 25 years. She has special expertise in matters involving fraud, theft of trade secrets, signal piracy and cyber-crimes. In addition to being co-author of a treatise on injunctions, Anton Piller, Mareva and Norwich orders, extraordinary remedies that are very useful in matters involving fraud and cyber-crime, she is a lecturer at the Université de Montréal on investigations pursuant to civil law. In addition, her professional career path and experience as member of various boards of directors and governance committees have made her a trusted advisor on corporate governance. In addition to being co-chair of the board of directors of Langlois lawyers and a member of its executive committee, Danielle also sits on the board of La Financière agricole du Québec and on its governance, ethics, and human and information resources committee. She is also a member of the board of directors and corporate secretary of the Fondation Marie-Vincent and sits on its governance committee. Previously Danielle served for ten years on the board of directors of the Association of Quebec Women in Finance, and for several of those years was vice-chair of its executive committee.
Tommy Tremblay is a partner at Langlois lawyers. His practice encompasses every aspect of commercial litigation but is focussed more specifically on the business governance sector (in particular, on matters related to directors’ and officers’ liability), competition law, securities and white-collar defence, including administrative investigations and interactions with regulatory agencies on these matters. Tommy advises directors and officers regarding ethical corporate governance practices, specifically with respect to their duties and obligations towards various groups impacted by their decisions (shareholders, creditors, employees) and the obligations imposed on them by law. Tommy also helps develop compliance programs that make it possible for companies to verify whether their employees and management are respecting statutory rules and exercising due diligence in regards to their organization’s activities. He frequently assists clients in connection with investigations led by regulatory agencies and helps to set up internal investigation protocols. Tommy has for several years acted as a trainer in the university certification program in corporate governance offered by the Collège des administrateurs de sociétés. He sits on the Executive Committee of the Canadian Bar Association – Québec Branch as Treasurer and is the Chair of the National Executive Committee of the CBA’s Business Law Section for the year 2018-2019. He also serves as president and director of the not-for-profit organization Avenir Parc La Fontaine.
Jean-François De Rico is a partner at Langlois lawyers, where he sits on the firm’s board of directors and executive committee. He specializes in information technology and intellectual property law, as well as the protection of personal information, and commercial litigation. He represents and advises SMBs, software editors and systems integrators, telecommunications companies, financial institutions and public bodies in connection with the development of software applications, the integration of solutions, the outsourcing of IT services, systems migration, the procurement of IT services and equipment, and digital transformation. He also advises on governance and regulatory compliance, the negotiation and drafting of contracts and the development of organizational policies and security-incident management protocols. Jean-François is a sought-after conference speaker on a variety of topics related to the legal framework for information technologies, the protection of personal information, and cybersecurity. He is also a member of Lexing, the first international network of lawyers dedicated to technology law, and collaborates regularly with its members.
1 In the event that the directors fail to discharge their obligation to ensure that appropriate measures are implemented to prevent cyber-risks, they may be found personally liable under not only the rules of civil law, but also under section 122 of the Canada Business Corporations Act, R.S.C. (1985), c. C-44, section 119 of Quebec’s Business Corporations Act, CQLR, c. S-31.1, articles 321 and following of the Civil Code of Québec, CQLR, c. CCQ-1991 dealing with the fiduciary obligations of directors, or more specifically, section 93 of the Act respecting the protection of personal information in the private sector, CQLR, c. P-39-1.
2 These include intellectual property, trade secrets, operational data and various personal information.
3 The legal framework for managing date includes several legislative provisions, both provincial and federal, such as sections 10, 17 and 20 of the Act respecting the protection of personal information in the private sector, CQLR, c. P-39-1; sections 31 and 52 of the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act [also known as “Canada’s Anti-Spam Legislation” or “CASL”]; sections 6, 19, 25, 26 and 34 of the Act to establish a legal framework for information technology, CQLR, c. C-1.1; sections 53, 63.1, 67.2 and 70.1 of the Act respecting access to documents held by public bodies and the protection of personal information, CQLR , c. A-2.1; and sections articles 3, 4.1.3, and 4.7.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. To these may be added the applicable statutes and regulations of other countries with which the enterprise may have business relationships.
4 By way of example, one needs to think only of the damages suffered due to the loss or theft of customers’ personal information by organizations such as Target, Ashley Madison and Equifax, or the hacking of the Democratic Party’s computer system during the 2016 American presidential election campaign.