Communication between board members and management are clearly highly sensitive as they contain valuable financial and forward-looking information about the company. For this reason, board members and C-suite executives are high-value targets for cyber-attacks, as is the board portal software that they use to communicate and steer board meetings. In addition, directors must be strong advocates for cyber security within their organisations, since it has grown from being the responsibility of the IT department to a company-wide risk management consideration.
According to the Canadian Survey of Cyber Security and Cyber crime conducted for Public Safety Canada, one in five Canadian businesses suffered a digital security breach in 2017. Of those, 41% were large businesses, and 47% were financial institutions.
The data from the survey illustrates specific incidents which can directly impact boards:
- 26% of incidents were carried out to gain access to unauthorized or privileged areas
- 23% of incidents were carried out to steal personal or financial information
- 5% of incidents were carried out to steal or manipulate intellectual property or business data
Because of the high level of access most board members have to sensitive company data, it is imperative that they safeguard their own communications, and steer discussions for improving cyber security within the company.
High-Profile Canadian Corporate Cyber Breaches in 2018
There were a number of high-profile breaches of large Canadian companies in 2018, including the BMO/CIBC joint venture Simplii Financial. In May, Simplii warned that 40,000 of its customers may have had personal account data breached. In August, Air Canada’s mobile app was hacked and personal data from 20,000 travelers, including sensitive information such as passport numbers, were potentially stolen. The board has a critical role to play in ensuring that management has both precautionary measures in place to prevent against cyber-attacks, and a plan to handle breaches if and when they occur.
As of November 1, 2018, Canadian businesses are being held accountable for privacy breaches under the Personal Information Protection and Electronics Documents Act (PIPEDA). After this change, safeguarding personal data has become a risk management issue for corporations. From a fiduciary standpoint, public companies in Canada must disclose cyber security risks and incidents in their public filings .
PIPEDA isn’t the only regulation which Canadian boards need to be concerned with. The General Data Protection Regulation (GDPR) is an European Union regulation which imposes hefty fines on any company, even one outside of the EU in Canada, which breaches the privacy of EU citizens. If proper cyber security measures are put in place, the risks to the company that these federal and international regulations present can be managed effectively.
Rahul Bhardwaj, president and CEO of the Institute of Corporate Directors (ICD), agrees that dealing with cyber security and its associated risks are now a board member’s responsibility. “Cyber security risk has become prominent in the minds of directors more than ever before. Incidents such as the Cambridge Analytica and Equifax security breaches helped to increase awareness.”
Education is Key to Understanding Cyber Security
Unless a board member is a cyber security professional themselves, they will likely need to receive training on cyber security. The Institute of Corporate Directors will be offering the course The Digital Director: Cyber security and Social Media for Directors in February and May 2019 in Toronto, Montreal, and Vancouver. You can register and find out more details here.
Chartered Professional Accountants Canada (CPA Canada) also put together a Board Bulletin with useful questions for board directors to ask management about the company’s cyber security capabilities and strategy.
Choosing a Secure Board Portal
Board portal software transmits and stores some of your most sensitive company data. As such, you must choose a solution that has specific built-in security measures against cyber-attacks and that safeguard data in accordance with PIPEDA and the GDPR. DiliTrust Exec is one such solution, with many security features including 256-bit unidirectional encrypted passwords that go above and beyond industry best practices, ISO-27001 certification for data safety practices, and independent security audits and penetration testing. It also complies with all regulations governing Canadian data or data stored in Canada, including PIPEDA and the European Union General Data Protection Regulation (GDPR).
Additionally, all data for Canadian DiliTrust Exec clients is stored solely within Canada in Canadian data centers, which is a requirement for data storage under some provincial and federal requirements for healthcare and government organizations.