The topic of cybersecurity, understandably, causes a great deal of uncertainty on corporate boards.
Technology is fast-moving, ever-changing and seemingly impossible to stay ahead of. Furthermore, most board members have secured their seats because they have valuable years of experience and expertise in certain areas or industries. But cybersecurity is a subject very few people have experience in. One of the biggest challenges, even for some of Canada’s most sophisticated boards, is finding members who actually understand this stuff.
This lack of knowledge can lead board members to take a hands-off approach to issues such as customer privacy and data security. However, with Canada’s new mandatory data-breach notification requirement coming into effect, board members can no longer afford to be deferential. Post Nov. 1, the ramifications of a corporate breach will quickly travel all the way up to the board level.
The new requirement stipulates that organizations that experience a data breach must report the incident to the Privacy Commissioner of Canada, and notify affected individuals when there’s a “real risk of significant harm to the individual.” Considering that only 10 per cent of Canadian businesses affected by a cyberattack reported it to law-enforcement agencies last year, there will soon be substantially more high-profile hacking incidents in the news, potentially opening up organizations to increased litigation and regulatory investigations.
With lawyers and regulators involved, it becomes a question of diligence. As a board member, you will be asked what specific steps your organization took to protect your customers' information, so you’d better be prepared.
Step 1: Make it a risk-management exercise
The role of a board member is of course a strategic – not tactical – one. You’re relied upon to set your organization’s course and ensure the proper people are implementing the right strategy. For this reason, cybersecurity should be viewed as any other threat.
Sure, you may not have the best grasp on the landscape, but it’s not a question of understanding technology – it’s a question of risk management. In exercising your fiduciary obligation to the company you serve, you need to ask your security team to develop a detailed threat profile, allot the appropriate resources and funding so the necessary safeguards are in place, and monitor your team’s progress to make sure key milestones are achieved.
Step 2: Conduct a cybersecurity assessment
Has your organization completed a cyber checkup in the past six months? This is essential for establishing a baseline. Without knowing the current threat landscape, it's simply impossible for your security experts to recommend remedial action.
When the question of budget allocation comes up to the board, you will have to decide if you're investing enough in cybersecurity technology and training. In order to make an informed decision, you need up-to-date information to accurately assess risk.
Step 3: Update your cyber insurance policy
While your company may be doing all it can to prevent a cybersecurity breach, you still need a backstop to mitigate risk if and when disaster strikes. Emerging as a stand-alone offering in recent years, cyber insurance policies can cover the cost of legal and regulatory investigations, including litigation, as well as expenditures for public relations and digital forensics. Since breach preparedness is one of the key factors insurers consider when underwriting cyber insurance, it’s imperative for your organization to have a comprehensive, well-communicated incident-response plan in place.
Step 4: Revise your crisis-management plan
Cybersecurity breaches are about to become much more public than they were in the past. To protect your organization’s brand and maintain consumer trust, communications need to be front and centre in your crisis-management plan. Once a breach occurs, prompt and transparent communications is your only pathway to minimizing damage to your business, reducing potential claims from third parties and evading reputational harm.
As a board member, it’s important to understand that effective communication is about more than issuing a news release. Your communications strategy needs to be fully aligned with your IT-response plan to expedite a consistent and unified response to all stakeholders. Staging a cybersecurity crisis simulation will also help prepare your executives for the real thing, ensuring they respond appropriately, and in real time, should the worst occur.
Corporate boards have always served a valuable oversight role. In this critical and fast-changing area, Canadian businesses need their board members focused on cybersecurity.
Angela Carmichael is president of FleishmanHillard HighRoad and specializes in corporate reputation. Imran Ahmad is a partner at Blake, Cassels & Graydon LLP, where he specializes in the areas of cyber security, privacy and technology law.