Norton Rose Fulbright lawyers discuss critical strategies to protect the organization
With cyber threats – ranging from crypto-jacking to ransomware – on the rise across all industries and geographies, cybersecurity is a pressing concern for Canadian board directors and legal departments alike.
Speakers addressed the role of boards in effectively managing cybersecurity risks during the 2023 Technology, Privacy and Cybersecurity Summit, hosted by Norton Rose Fulbright Canada LLP last week.
“The board’s responsibility is to oversee and also to promote cybersecurity policies and strategies, and it’s also to manage cybersecurity risk,” said Olga Farman, managing partner at the Québec Office of Norton Rose Fulbright. The board must ensure that an effective cybersecurity plan is in place, and that the plan is updated regularly, she added.
“Cybersecurity policies must align with the risk appetite of the company and its board,” said Farman. “The board needs to support the company’s response, not only on a legal basis, but on an operational level as well.” She noted that board members should be mindful of the fact that they can be personally liable in the event of a cybersecurity incident, under certain data protection laws.
Cyber knowledge within the board should enable members to understand and discuss cyber risks with management and cyber experts, according to John Cassell, partner, Canadian co-head of information governance, privacy and cybersecurity at the Calgary office of Norton Rose Fulbright. They should be knowledgeable about cybersecurity risks within their industry, and specifically within their own organization, Cassell said. While it is not required for board members to be cybersecurity experts, they should at least have a general understanding of the risks and how these risks may impact the organization.
“Board members often invite external presenters to present on specific cyber topics that may include law enforcement, forensic firms, and other specialized cyber experts who can present on a particular topic with the aim of building the board’s knowledge base,” said Cassell. He also recommended having the cybersecurity committee or audit committee reporting at least quarterly to the board with a detailed and robust report.
Marc Lafrance, VP technological risks at Caisse de dépôt et placement du Québec, commented that it can be beneficial for boards to have ongoing certifications to make make sure they have the proper controls in place.
“It brings value because it’s a benchmark against industry standards to make sure that everything has been done,” said Lafrance. Boards also need to have a dashboard on cyber, setting out key risks and metrics, to ascertain the current level of threat, and the anticipated threat three months down the road, he added. This will allow them to keep tabs on major projects and initiatives to help reduce risk.
“While cyber risks are relatively new, the board should really understand and manage them as it does for more traditional risks,” said Cassell. This includes building a cyber knowledge base to prioritize risks and then ensuring that those risks are managed effectively. Cybersecurity board reports should also include a multi-year strategic plan, as well as a breakdown of cybersecurity resource allocation, Cassell noted.
Understanding the key risks of the organization is critical. “Efforts should be put into preventing and detecting threats from a technical perspective and tested regularly. It can’t simply be left in the hands of the IT department,” said Cassell. A cyber incident response plan is another effective way that management can oversee cybersecurity risks, he added.
Session moderator, Imran Ahmad, partner, head of technology, co-head of information governance, privacy and cybersecurity at Norton Rose Fulbright Canada, told delegates that flexibility is a key message when it comes to building a cybersecurity response plan.
“Any organization that has a board that’s operating in the critical infrastructure space – with Bill C-26 that was introduced – will have significant compliance requirements, both before and post incident,” said Ahmad.
Farman recommended boards having a session outside of the board meeting with the officer in charge of cybersecurity or with external consultants to discuss the key risk areas of the organization. A quick update during the meeting is insufficient for this matter, Farman said.
Organizations should have a plan in place regarding the best time to notify the board of a cyber incident, depending on the type and severity of the incident, Cassell said.
“For example, if an incident impacts the company’s finances, or there’s a leak in the media, there would be a plan that the board would be notified right away,” said Cassell. The cyber incident response plan should also indicate who is responsible for notifying the board, he added.
“Preparation matters,” concluded Ahmad. “When the board surrounds itself with the right advisors and experts and data points and information that they need, they can do a really good assessment of the situational risks to the organization, to then quantify the risks and address them."