Client Login SPARK! Newsletter
logo
Cybersecurity: Why Director Involvement is So Important

Republished with permission from AUM Law.

Given the number of financial service firms that hold, and work with, confidential information obtained from their clients, the threat of a cybersecurity breach has been in the spotlight as an ongoing business risk throughout 2017. As directors seek ways to address this risk, they should be mindful of CSA Staff Notice 33-321 released in October 2017 by the Canadian Securities Administrators which provides guidance in this area (summarized in AUM law's November Issue of their Bulletin). Directors should also be mindful of one of the leading privacy law cases: Townsend v. Sun Life Financial (“Townsend”) which discusses a firm’s obligations regarding the protection of private and confidential information.

In Townsend, the plaintiff alleged that Sun Life failed to safeguard his personal information by accidentally sending information to a third party and mailing certain letters to incorrect addresses. The Federal Court did not award any damages to the plaintiff and found that: (a) the breach was relatively minor; and (b) “Sun Life had a detailed protocol [for dealing with private information] before the occurrence of what can only be considered human error” and “Nobody should be held to a standard of perfection”.

The Court’s finding in (b) above is significant because it suggests that taking reasonable measures to protect private information may lessen or absolve culpability in the event of a data breach (including a cybersecurity incident) at a firm. Reasonable measures may include using certain cybersecurity measures that are currently being used by the financial services industry, including:

  • The National Institute of Standards of Technology Cybersecurity Framework
  • The 10 principals of Cyber Resilience from a report issued by the World Economic Forum entitled “Advancing Cyber Resilience Principles and Tools for Boards”
  • The IIROC Cybersecurity Best Practices Guide

Although AUM Law recommends that you speak to your usual lawyer at AUM Law to discuss what measures makes sense for your firm, a common thread on all cybersecurity standards that we have seen is that directors are required to play an integral part of the management process and be active in the oversight of cybersecurity risk. In short, cybersecurity is not an IT department problem and those firms that delegate the management of their cybersecurity risk to their “tech people” may be seen to fall short of the “reasonable measures” expectation described above.

Director involvement requires that firms maintain and document proof that they have reviewed and promoted their cybersecurity policies, and that they have the technical proficiency to understand the policies and/or they have consulted experts that can explain it to them. After a cybersecurity policy is created, directors must still ensure that they are actively reviewing the policy and asking questions of their experts to ensure that their policy remains effective and current.

There are a number of ways to show director involvement in your firm’s cybersecurity framework. AUM Law advises that you speak to your usual AUM Lawyer if you have any questions.

The information contained in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Accordingly, the information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. While we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Again, no one should act upon any information contained herein without seeking appropriate professional advice after a thorough examination of their particular situation.
Related Content
More articles