Chief Information Security Officers (“CISO”) grapple with significant risks and pressure on a day-to-day basis. This pressure is greatly increased during times of crisis, which historically equate to data breaches. When a breach happens, the CISO becomes the commander-in-chief of an army dedicated to identifying, containing and remediating the breach. Nonetheless, the recent weeks have given us another example of a crisis which can be extremely demanding on information security professionals.
The COVID-19 pandemic is first and foremost a human tragedy, but technology is on the front lines of this crisis. Organizations worldwide had to fast-forward the adoption of digital technologies, implement work-from-home policies and protect essential IT infrastructures in a time when resources are already scarce.
Tech organizations also have a heavy burden as they adapt their operations to increased user traffic and new uses that are being made of their technologies. Zoom, for instance, a B2B teleconferencing platform, evolved, within mere days, past B2B and into the B2C space and became the default communication medium for all groups throughout the world. Looking further, students and workers are using many collaboration and digital tools to continue their work, while others are spending their free time online shopping, reading, chatting, playing and streaming content. All these behaviors put immense stress on cybersecurity controls and operations.
As companies around the world grapple with the implications of the pandemic, all the while trying to survive, CISOs are playing a central role in steering their organizations through the crisis, and they’re not alone in this battle. Data Protection Officers, Chief Information Officers, Boards of Directors and other executives with information security responsibilities are also being deployed in the decision-making process. Many of these executives have reached out to us to gain an understanding of their liabilities for their cybersecurity decisions during COVID-19. Our observations reveal that even during normal affairs, these liabilities are not always understood.
In this first article for Cyber Business Review, we decided to begin with two essential questions:
What liability can directors and officers engage in for their decisions regarding information security?
Can performing risk management activities for information security increase directors’ and officers’ liabilities, and if so, what can be done about it?
A quick overview of board governance literature suggests that cybersecurity risks should be treated differently from other risks facing the organization. But, in practice, such a suggestion fails to stand its ground. Boards have long been tasked with protecting their companies from various risks, including cybersecurity risks. Effective oversight of cybersecurity risks could help companies and directors avoid incurring significant damages while successfully mitigate the damages that are inherent to cybersecurity breaches.
As a starting point, directors are governed by the Canada Business Corporations Act (“CBCA”) or an equivalent provincial legislation. In most legislations, the general duties of directors and officers are to act honestly, in good faith, and exercise care, diligence and skill as would a reasonable prudent person in comparable circumstances. We refer to these as the “fiduciary duty” and “duty of care”.
These duties beg the question: Who owns management of the cybersecurity risk at the board and management levels? Of course, not all executives are directors. As we know, boards have been reticent to have CISOs sitting directly at the table. However, executives are empowered to exercise their roles and responsibilities by delegation from the boards of directors. As a result, they must carry their tasks with the same diligence, but they may not have the same liability. This is often enforced through employment agreements. We’ll see that executives do not have the same liability, but would be wise to cover themselves.
So, if the CISO does not own management of cybersecurity risk at the board, who does?
In a nutshell, CEOs are responsible for reporting to the board on any risks facing an organization. I often hear of CEOs referring such questions to other executives, such as CISOs. It’s important to understand that having an expert readily available does not discharge the CEO from his roles and responsibilities to oversee and understand the risks facing the organization at large. Once the CEO reports to the board, all board members are responsible for determining if a risk is accepted, avoided and mitigated.
Such decisions must be consequent with the allocation of adequate resources. Indeed, requiring an organization to mitigate risks without allocating such resources to do so may be considered as a breach of the general duties of board members. The general duties should guide directors’ analysis and decision making at all times, as they are applicable to financial systems and controls through the Enterprise Risk Management (ERM) framework typically applicable to finances. There is no reason to depart from this approach when managing cybersecurity risks.
In order to carry risk management in the financial sectors, boards of directors rely heavily on internal and external audits as well as policies and procedures. These are used to inform directors so that they can make appropriate decisions given their duties. Again, this applies to managing cybersecurity risks. The same types of controls are required – board of directors should ensure they have access to vulnerability assessments, intrusion testings, internal audit results, certifications and similar mechanisms to support their decisions.
This brings us to another key consideration for executives: Information security professionals do not benefit from professional privilege over their activities. In Canada, there are two types of privilege associated with the legal profession that may be helpful; the attorney-client privilege over legal advice and litigation privilege. Each is subject to conditions and different modalities for their application. Generally speaking, the board should establish a legal privilege strategy for protecting their cyber risk management activities, including as required to respond to data breaches. However, keep in mind that none of these privileges are absolute in practice, and we have seen a number of legal cases where the defendant was forced to hand over forensic reports and other evidence relating to a data breach.
This means that managing cybersecurity risks is a requirement to protect liability, but it can also lead to more liability if the board does not act promptly and in accordance with their general duties whenever risk management activities identify a vulnerability. Failure to do so may result in evidence to allege a breach of the fiduciary duty and duty of care.
So, do the directors always have to make the best decision? No. The decision must be a reasonable business decision in light of all the circumstances which are known, or should have been known – which brings us back to the need to perform risk management activities.
In other words, perfection is the enemy of good. The board is not held to the standard of making perfect decisions in cybersecurity. The court looks to see that the directors made a reasonable decision, not a perfect decision. Provided the decision taken is within a range of reasonableness, the court ought not to substitute its opinion for that of the board even though subsequent events may have cast doubt on the board’s determination.
As long as the directors have…
Protection of critical cyber systems: Canada introduces new legislation under Bill C-26
On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…