While until quite recently the security of information technology infrastructures was dealt with by a corporate IT team, today every organization knows that cyber threats constitute a major risk that senior management must monitor closely.

Cybersecurity issues go beyond the realm of technology. They now impact the way enterprises operate, make decisions, plan for the future and shape their strategic vision. It must be borne in mind that threats of this nature are legion, be they from organized crime to activist movements, or are coming from corporate insiders, or outside hackers acting alone or working in groups, often for financial gain but sometimes also without any particular motivation other than being disruptive. These individuals are often acting outside the territorial jurisdiction of the targeted enterprise.

In addition to senior management, the members of an organization's board of directors must take concrete steps to attempt to counter major risks of this kind that could impact the organization. They too must therefore be fully up to speed on the economic, operational, reputational and legal issues involved.1 And while many boards of directors have lawyers, accountants or human resources specialists, as members, very few have directors who are specialists in IT and/or cybersecurity.

It is thus essential that directors acquire a basic mastery of the key elements associated with cybersecurity:

  1. their organization's IT assets;2
  2. information governance procedures;
  3. the internal allocation of responsibilities for applying cybersecurity measures;
  4. the broad outlines of the technological architecture (internal and cloud-based application infrastructures and environments, service providers involved) and the types of portable equipment;
  5. the legal environment, including obligations to maintain the confidentiality, integrity and accessibility/availability of data.3

Governance procedures relating to cybersecurity issues can be broken down into four categories that must be closely scrutinized by directors:

  1. the corporate technological structure, including the protective measures in place;
  2. how information is managed, i.e. what is stored, where, for how long, who has access to it, the degree of sensitivity of certain information, level of risk tolerance, etc.;
  3. availability and frequency of training programs for employees and managers;
  4. cybersecurity governance policies, programs or other internal regulations.

Because of the increasingly elevated risks associated with cybersecurity, it is highly recommended to obtain an external opinion on all of these aspects, in order to ensure that the organization has an adequate cybersecurity system in place, including a monitoring function to identify threats and vulnerabilities and to gauge the evolution of security tools and mechanisms. Merely installing a security system whose effectiveness has not been determined or adapted to the organization's needs could be perceived as a lack of diligence on the part of the directors who would not have been sufficiently concerned for existing risks. Such diligence and concern are necessary not only because the degree of risk can vary significantly from one organization to the next, but also because of technological changes that are occurring at an extremely fast pace, requiring constant vigilance. Among these risks are the loss or theft of data, inability to access data, potential business interruption, alteration or destruction of data, disclosure or publication of private data, as well as the risk of ensuing lawsuits or penal sanctions resulting from these risks – not to mention reputational damage and loss of market share.4

In the same vein, it is essential that the board of directors be fully aware of existing incident-management measures and ensure that they are tested through regular audits that take into account the rapidity of technological developments and the evolution of the cyber-environment and applicable laws and regulations.

Once the board of directors has identified and fully understood the potential risks, the directors have the obligation to define their expectations regarding the appropriate measures to put in place in order to respond to their concerns. Clear and well-defined policies reflecting these expectations must be implemented and followed. In certain cases, sanctions for not doing so should also be provided for.

In conclusion, while cyber-risks are now of near universal concern, boards of directors in particular must ensure that they have the necessary competencies and relevant information to help their organizations counter them. And if your board does not include directors who are experts in this area, you should seriously consider consulting external experts. You should also note that the authors of this article offer training sessions that can be tailored to the specific needs of the groups they are addressing, be they the organization's directors and officers or some or all of its employees.

Footnote

1 In the event that the directors fail to discharge their obligation to ensure that appropriate measures are implemented to prevent cyber-risks, they may be found personally liable under not only the rules of civil law, but also under section 122 of the Canada Business Corporations Act, R.S.C. (1985), c. C-44, section 119 of Quebec's Business Corporations Act, CQLR, c. S-31.1, articles 321 and following of the Civil Code of Québec, CQLR, c. CCQ-1991 dealing with the fiduciary obligations of directors, or more specifically, section 93 of the Act respecting the protection of personal information in the private sector, CQLR, c. P-39-1.

2 These include intellectual property, trade secrets, operational data and various personal information.

3 The legal framework for managing date includes several legislative provisions, both provincial and federal, such as sections 10, 17 and 20 of the Act respecting the protection of personal information in the private sector, CQLR, c. P-39-1; sections 31 and 52 of the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act [also known as "Canada's Anti-Spam Legislation" or "CASL"]; sections 6, 19, 25, 26 and 34 of the Act to establish a legal framework for information technology, CQLR, c. C-1.1; sections 53, 63.1, 67.2 and 70.1 of the Act respecting access to documents held by public bodies and the protection of personal information, CQLR , c. A-2.1; and sections articles 3, 4.1.3, and 4.7.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. To these may be added the applicable statutes and regulations of other countries with which the enterprise may have business relationships.

4 By way of example, one needs to think only of the damages suffered due to the loss or theft of customers' personal information by organizations such as Target, Ashley Madison and Equifax, or the hacking of the Democratic Party's computer system during the 2016 American presidential election campaign.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.