Cybersecurity starts at the top – with strong governance

Directors and officers wear many hats, but one that’s exceedingly important is their role in identifying and mitigating cyber risks. According to PwC’s 2024 Global Digital Trust Insights survey (conducted May-June 2023), mitigating cyber risk is now second on the list of prioritized risks for business and tech executives, as the scale and cost of cyberattacks grow. The proportion of businesses that have experienced a data breach of more than US$1 million has increased significantly year over year – from 27% in the previous year’s report to 36%.¹

Alongside growing cybers risks, businesses are contending with a changing regulatory environment that puts directors and officers under heightened scrutiny. Bill C-26, which includes the Critical Cyber Systems Protection Act (CCSPA), proposes new cybersecurity requirements designed to protect services and systems deemed vital to Canada’s security or public safety, including banking, telecommunications, energy and transportation. Directors and officers can be held personally liable if they “directed, authorized, assented to, acquiesced in, or participated in the commission of a violation.” Any violation can result in a hefty monetary penalty – up to $1 million in the case of an individual and up to $15 million for designated operators. Contravention of specific provisions of CCSPA can also result in imprisonment.^2,3

While the proposed regulations start with Canada’s vital industries, directors and officers in any business who fail to implement adequate cybersecurity measures or respond appropriately to breaches could open the door to claims against them.

See: Why directors and officers could face cyber breach lawsuits

 With increased liability risks – along with the damage cyberattacks can inflict on a company – cybersecurity governance is more critical than ever. Described as “the backbone of an organization’s defense against cyber threats,” cybersecurity governance refers to the policies, processes and practices organizations implement to manage and protect their information systems and digital assets. Directors and officers must take the lead, establishing a structured framework to address risks, compliance requirements and the changing threat landscape.⁴

As with other governance matters, the starting point is in the boardroom. In a Harvard Business Review article, experts observe that cybersecurity discussions in board meetings typically cover threats and the actions or technologies the company is implementing to protect against them. Instead, the conversation needs to focus on resilience. Board members should focus on the biggest risks to cyber resilience (from financial to technological to organizational to supply chain) and how to quickly respond and recover should that situation happen.^5,6

The makeup of the board of directors itself may need to evolve. A lack of depth in cyber expertise can prevent directors from leading meaningful discussions about risks, which ultimately impacts governance and accountability.⁷

Organizations are advised to either educate their board members in cybersecurity and risk management or look to recruit directors with relevant experience in this field. As one risk consultant advises: “When assessing candidates, ensure they can communicate multifaceted cyber issues at a board level, as this will be critical to holding the entire management team accountable for the cyber strategy…. The board’s cyber experts should also ensure that all cyber-related materials and resources are regularly updated so that all members can stay informed about the organization’s cyber strategy.”⁸

For many organizations, the evolving risk environment may also necessitate a new role in the C-suite: Chief Information Security Officer (CISO). According to a Harvard Law School article, having a dedicated CISO, which is separate and distinct from the Chief Information Officer (CIO) role, has become increasingly important. “The office of the CISO may have traditionally been seen as an IT function, but the far-reaching implications of a cybersecurity incident mean that cybersecurity must be considered a business risk,” the article states. With oversight responsibility increasingly at the board level, “the modern CISO needs to be able to communicate dynamic and fast-changing cyber risks in terms that resonate with both the business and the board.” ⁹

Just as companies evaluate their cybersecurity measures to see where they’re protected and where gaps exist, they should assess their insurance coverage. Directors & Officers (D&O) insurance can provide individuals protection against personality liability in the event of a cyber-related incident. What’s more, having proper D&O coverage can help attract and retain directors and officers, knowing they can confidently lead and make decisions without fear of personal financial loss.¹⁰

With comprehensive coverage and governance in place, organizations can stay one step ahead of the evolving cyber and regulatory landscape, ensuring their business and their people are protected.

Sources

¹ PwC, “The C-suite playbook: Putting security at the epicenter of innovation”

² Government of Canada, “Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts”

³ Cox & Palmer, “Bill C-26: New Cyber Security Obligations for Canadian Businesses Vital to National Security and Public Safety,” Sept. 12, 2022

⁴ Safety Culture, “Understanding the Essence of Cybersecurity Governance to Organizations,” Feb. 25, 2024

⁵ Harvard Business Review, “Boards Are Having the Wrong Conversations About Cybersecurity,” May 2, 2023

⁶ MIT News, “Now corporate boards have responsibility for cybersecurity, too,” April 29, 2024

⁷ CSO, “How much cybersecurity expertise does a board need?” Oct. 23, 2023

⁸ Directors & Boards, “Strengthening Cybersecurity Governance Amid New Regulations,” Nov. 10, 2023

⁹ Harvard Law School Forum on Corporate Governance, “Building Effective Cybersecurity Governance,” Nov. 10, 2022

¹⁰ HRO, “D&O Insurance: Its Role in Recruiting Independent Board Members”