CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison



Similar documents
Who s next after TalkTalk?

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Mitigating and managing cyber risk: ten issues to consider

ARDMORE SHIPPING CORPORATION AUDIT COMMITTEE CHARTER

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Risks in the Boardroom

ERM Symposium April Moderator Nancy Bennett

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Managing cyber risks with insurance

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

BOARD OF DIRECTORS MANDATE

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber/ Network Security. FINEX Global

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Anatomy of a Hotel Breach

Cybersecurity. Considerations for the audit committee

GUIDANCE FOR MANAGING THIRD-PARTY RISK

CYBER-ATTACKS THE GLOBAL RESPONSE

CORPORATE GOVERNANCE FRAMEWORK

ACE European Risk Briefing 2012

Executive Management of Information Security

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Ramsay Health Care Limited ACN Board Charter. Charter

Session 1B DON T LET THEM EAT YOUR LUNCH The Prevention Method for Cyber Risk!

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Cyber Risks October

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Insurance for Data Breaches in the Hospitality Industry

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Defining the Gap: The Cybersecurity Governance Study

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

Echo Entertainment Group Limited (ABN ) Risk and Compliance Committee Terms of Reference

Cyber Security: Not if, but when...

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Addressing Cyber Risk Building robust cyber governance

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Credit Union Liability with Third-Party Processors

Nine Steps to Smart Security for Small Businesses

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DIRECTORS OF OWNER MANAGED COMPANIES: MANAGING THEIR ROLE, DUTIES AND LIABILITIES

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server

RISK AND COMPLIANCE COMMITTEE CHARTER

Information Technology

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

CHARTER OF THE FINANCE AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF SPECTRA ENERGY CORP (April 2013)

Cyber Security Risk Management

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Cyber security guide for boardroom members

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Network Security & Privacy Landscape

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

Reducing Cyber Risk in Your Organization

Cyber Security Issues - Brief Business Report

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Cyber Security Strategy

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Securing Critical Information Assets: A Business Case for Managed Security Services

Is your Organization SAFE?

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SERVICEMASTER GLOBAL HOLDINGS, INC.

How To Protect Your Data From Hackers

I n joining a public company board of directors, you

6/8/2016 OVERVIEW. Page 1 of 9

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

Cybersecurity: Protecting Your Business. March 11, 2015

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

HEWLETT-PACKARD COMPANY BOARD OF DIRECTORS NOMINATING, GOVERNANCE AND SOCIAL RESPONSIBILITY COMMITTEE CHARTER

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyberprivacy and Cybersecurity for Health Data

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber security Building confidence in your digital future

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

CYBERSECURITY: Is Your Business Ready?

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

MISSION VALUES. The guide has been printed by:

Directors and Officers Liability Indemnification and Insurance. Richard Berrow, LL.B. Brian Rosenbaum, LL.B.

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

HALOGEN SOFTWARE INC. AUDIT COMMITTEE CHARTER. oversee the qualifications and independence of the independent auditor;

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Public Sector Pension Investment Board

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Anatomy of a Privacy and Data Breach

Operational Risk Publication Date: May Operational Risk... 3

CGI Cyber Risk Advisory and Management Services for Insurers

Infratil Limited - Board Charter. 1. Interpretation. 1.1 In this Charter:

Transcription:

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers of Ashley Madison, an adulterous liaison website operated by a Toronto-based company, has once again brought home to Canada the risks in using computer networks to carry on business. The company's CEO has departed, and the company is reportedly involved with numerous class action lawsuits and regulatory and criminal investigations in Canada and the United States. According to purported e-mails of the company's former CEO, which were also leaked by the hackers, the hack occurred as the company was attempting to undertake an initial public offering in London, England after other financing and sales efforts failed. For the directors of the company whose tag line is "Life is short. Have an affair" the days are now (likely) very long. The daily news reports of successful hacks of computer networks of notable organizations such as the U.S. federal government, the Canada Revenue Agency and SONY Entertainment have made it abundantly clear that no network is safe. While hacking is an important cyber security issue, recent studies have found that most cyber security incidents are not produced by hackers. Rather, they are "inside jobs" arising from deliberate attacks by disgruntled former employees, or they arise from the carelessness or inadvertence of current employees. The main takeaway for directors is that it is just a matter of time until an enterprise faces a cyber security incident. How well the enterprise responds to that incident * Mr. Solway is Managing Partner of the Technology, Media and Entertainment Group at Bennett Jones LLP. will be determined to a large extent by how well it prepares. This article will examine the board's role in an enterprise's preparation, monitoring and response to cyber security incidents. Preparation Directors have a duty of care, that applies to both "for profit" and "not for profit" enterprises in Ontario. The standard that directors must meet is "the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances."' Directors have unlimited personal liability. Consequently, directors who breach this duty of care have unlimited exposure. The duty of care inherently requires that directors identify and manage key risks facing the enterprise. Risks are commonly measured in terms of the potential for significant financial harm or physical damage, but the spectrum of risk also includes reputational risk, which does not have a precise financial cost. Cyber security is a major risk in terms of potential financial harm, physical damage and (especially) reputational damage. Cyber security is a business continuity issue, just like the risk of fire, and it needs to be treated in a similar fashion, with proper planning. The Ashley Madison hack is a very clear example of a business that is on fire (not in a good way). Cyber security preparedness begins with board oversight and the "tone at the top." Directors need to be engaged in understanding the risk and how the enterprise is managing it. The board may delegate aspects of its oversight role to a board committee such as the audit or risk committee. In its publication, Cyber-Risk Oversight,2 the U.S.-based National Association of Corporate Directors ("NACD") identified the following five 1 This standard is set out in the Canada Business Corporations Act, R.S.C. 1985, c. C-44 (s. 122(1)(b)), the Ontario Business Corporations Act, R.S.O. 1990, c. B.16, (s. 134(1)(b)) and the Canada Not-for-profit Corporations Act (s. 148(1)(b)). It will apply to Ontario's Not-for-profit Corporations Act (s. 43(1)(b)) when it becomes law (likely in 2016). The common law "duty of care applies under current Ontario not-forprofit legislation. 2 Director's Handbook Series 2014, National Association of Corporate Directors. 590

principles to define the director's role in cyber security. Principle 1 Directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an IT issue. The director's role is an oversight role. The board needs to make sure all facets of the enterprise are involved. Cyber security is not solely an information technology ("IT") department, issue it involves many other issues. For example, if the enterprise needs to transact business online, the IT department needs to support those needs. It cannot simply say it is too dangerous. That process requires a dialogue between various departments within the enterprise so that business objectives and security objectives can both be satisfied as much as possible, based on the board's risk tolerance. The board needs to supervise the development of policies and procedures that will apply across the enterprise. All aspects of the enterprise need to be involved in their development. For example, the development of a proper Cyber Incident Response Plan may involve legal, financial, sales, marketing, communications, accounting and human resources aspects of the enterprise. The IT department will not be effective if it is isolated and left to its own devices. The board's role is to ensure that all relevant parts of the enterprise are involved and cooperating. All employees need to understand the importance of and embrace security, because one weak link (e.g., a weak password) makes the entire enterprise vulnerable. Principle 2 Directors should understand the legal implication of cyber risks as they relate to their enterprises' specific circumstances. The board should have a basic understanding of: (a) what data the business has; (b) why it has it; (c) where it is stored; (d) who has access to it; and (e) how it can be accessed. For certain types of information or certain industries (e.g., health or financial information), there may be applicable legislation that sets out special rules that govern how that information is to be handled (e.g., geographic rules, encryption rules, disclosure rules). Cyber risks can be external (e.g., hackers, malware) or internal (employees). With respect to internal risks, the board should consider what information employees are entitled to access and why they have or need that access. It may also be desirable to keep certain information (such as "crown jewels") offline altogether. Principle 3 Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. Boards are entitled to rely on experts to help the directors fulfill their duty of care.3 Directors are not expected to be experts on everything, but they are expected to inform themselves sufficiently to fulfill their oversight role. Boards (or board committees) conduct their work through meetings. Therefore, to fulfill the cyber oversight role, the board (or a committee) must meet to review these issues. Also, given directors' general lack of expertise regarding cyber security and technology, it may be helpful to recruit a director who is technology literate. If the board cannot or does not want to add a member with that expertise, they can consider having a technology consultant engaged by and reporting to the board to supplement their knowledge to the extent required. Hewlett-Packard's Cyber Risk Report 20154 concludes that the threat landscape is still populated by "old problems and known issues." Most of these issues can be addressed. For example, some can be addressed simply by applying patches provided free of charge by the software developers. Consequently, it is important to involve experts who know how to identify and deal with these issues. The board does not want to be embarrassed by a cyber 3 Canada Business Corporations Act, s. 123(5). Business Corporations Act (Ontario), s. 135(4). 4 HP Security Research, at 2. 591

breach caused by "old problems and known issues." Mobile computing and the "Internet of Things" bring new challenges for the board to address. Expert advice is critical to assist the board in assessing the risk that the enterprise faces. Principle 4 Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. As noted, the board's role is an oversight role. Management, not the board, is responsible for developing and implementing the cyber security framework, including developing budgets, hiring and coordinating personnel (or third party service providers), and developing, implementing and monitoring policies, procedures and response plans. Management should report to the board regularly on cyber security so that the board is kept up to date at a high level. The board may determine that the enterprise does not have the appropriate personnel and systems and cannot afford them or does not want them. In that case, the board may decide to outsource cyber security. Outsourcing is acceptable, but the board needs to ensure that diligence is done on, and sufficient contractual commitments are made by, third party providers. Principle 5 Board and management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. The board should understand what risks the enterprise is taking on.5 It may not be possible to address everything through security measures alone. Cyber insurance can help protect against deficiencies, although considerable expertise is required in procuring suitable cyber coverage (it is not a commodity and all programs are not created equal). 5 The board should have its directors' and officers' insurance policy reviewed to make sure there is no cyber exclusion even if the board has done nothing wrong, there could be defence costs if the enterprise does not have money to indemnify. The lawsuit against the directors of Wyndham Worldwide Corp,, 6 an international hotel chain, is an example of the exposure that directors face if they are perceived not to be fulfilling their duties to the enterprise. In that U.S. case, the Wyndham directors were sued by certain shareholders for failing to take steps to prevent recurring data breaches of hotel guest information. In its October 2014 decision, the Court concluded that directors had fulfilled their duty of care. The Wyndham board's actions are a good example of what responsible boards should do. The board discussed cyber security issues at every quarterly board meeting (14 of them), the audit committee had investigated the breaches, and the company had, under the board's direction, hired a technology firm to recommend security enhancements and begun to implement those enhancements. The Court was satisfied with the directors' efforts (although the U.S. Federal Trade Commission is continuing its own proceedings against Wyndham, initiated in 2012, challenging the adequacy of what the company has done). The Wyndham case is a reminder that directors will want to ensure that they have appropriate indemnification agreements and directors insurance in place so that they are protected from the defence costs and potential liability associated with any claims, whether or not the claims are meritorious. Part of that "insurance may involve the identification of and ready access to a skilled communications expert, who may help to mitigate the reputational damage that often ensues in these cases. Monitoring Once the cyber security plan is completed, the board needs to ensure that it is properly implemented, functioning and updated. The board should be receiving reports of any problems such as major cyber security incidents, elements of the plan that have not been implemented as planned, or problems in staff training. Cyber security should be a regular agenda item at board or committee meetings. Cyber security is not a one-time exercise it is ongoing because cyber security is evolving and the threat is constantly changing. 6 Palkan v. Holmes et al., No. 2:2014cv01234 (D.N.J. 2014). 592

Response A properly prepared cyber security plan will enable the enterprise to promptly respond. The plan will identify how to escalate an incident, including when to inform the board and what role the board will have in the response. There are many issues that need to be considered in a response plan such as: How does the enterprise know that there has been a breach and how serious it is? Who is on the crisis response team (internal and external)? Who is in charge of what when an incident occurs? How does the breach get fixed, if fixable? Who is responsible for informing the board, regulators, police, public, employees, customers, suppliers and insurers? What information will be communicated to each group? Is there any required reporting under applicable law? What can be done to limit liability? What records need to be maintained for court/regulatory proceedings and what will be protected by legal privilege? How should the investigation be conducted and who should conduct it (internal versus external)? Proper advance preparation is extremely important. There are a great number and variety of experts needed to respond to an incident, both internally and externally. They include the board, the CEO, the CFO, the CTO, the privacy officer, the risk manager, the human resources head, the internal communications team, heads of departments that use the network, third party service providers, internal and external legal advisors, external communications advisors, external cyber security consultants, external forensic investigators, insurance agents and insurers. The directors do not want the project team assembly exercise to start only after an incident has arisen. There is often no learning time available at time of breach because there is frequently a need to act immediately. The enterprise needs a team that is up to speed and ready to go, not busy chasing down contact numbers, clearing conflicts and sorting out retainer terms. If no plan has been prepared that is suitable for the type of cyber breach that has occurred, the board will have an ad hoc role, if it is informed about the breach. If the board has not let management know that it wants to know about cyber breaches, the board may not be informed until actions have been taken that the board may not like. A review of the numerous press releases issued by Ashley Madison in response to the hack highlights the myriad of issues and parties involved in responding to hacks of this sort. The website has attempted to fix the security lapse that allowed the hack, has hired experts to review and improve its security, and is cooperating with numerous police agencies in Canada and the U.S. in attempts to find and prosecute the hackers, including offering a $500,000 reward, while at the same time taking steps to assure its customers the site is now safe, and using the international publicity from the incident to promote its business. The website has not disclosed whether it had a suitable cyber incident response plan in place prior to the hack. It first learned of the attack on July 12, but no announcement was made until the hackers posted their threats on a website on July 19 announcing that they were giving Ashley Madison a month to cease operations or face disclosure of customer information. It is not yet known when the directors were informed of the hack and what steps they took during the week of July 12 to avoid disclosure of the hack. Also unknown is what steps the directors took to avoid disclosure of the hacked information in the following month. Given the litigation now underway, it is likely that all those details will be revealed in the coming months and years. Avoid Embarrassment or Worse Cyber security is not just an IT issue to be left to the IT department. It involves the entire enterprise and can only be effectively implemented if it is handled seriously from the board level on down. Directors do not want to be in the embarrassing position of having to reveal that they did not know enough to ask any questions or take steps to supervise the 593

implementation of appropriate cyber security measures. Nor do they want their enterprises to suffer the harm and financial and reputational liabilities that can arise from failing to take simple steps to fix known issues or apply free security patches to safeguard the enterprise's information. Given their unlimited personal liability, and their reputational exposure, directors should do what is necessary to ensure that they have fulfilled their duty of care to the enterprise. They should also have appropriate indemnities and liability insurance to protect them from the costs associated with claims that they failed to carry out their duties properly. 594

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information