Why directors and officers could face cyber breach lawsuits

It’s virtually impossible for business leaders to not know about the dangers of cyberattacks, as breaches regularly make headlines and cybersecurity earns a more prominent spot, on corporate agendas. Where companies may be in the dark, however, is the growing risk of personal liability for directors and officers following a cybersecurity breach.

While there are legal protections for directors and officers that shield or limit their liability, avenues do exist in Canada to pursue individuals for data breaches. With the ever-growing risk of cyberattacks, it becomes more likely a company’s financial performance and reputation will be affected. ^1,2  And that could put directors and officers in the hot seat.

Why might an individual be at risk as opposed to a company? As one Canadian law firm explains: “If a director or officer is seen to have failed in their duties to prevent a cyberattack, or more egregiously, has misrepresented the company’s position with regard to them, this could realistically lead to harm for a corporation which, in turn, opens boards and senior management up to a host of regulatory (e.g. commission enforcement) or secondary market (i.e. shareholder class action) liability.”

On the regulatory front, for example, data protection laws require companies to protect sensitive data and maintain certain cybersecurity standards. Failure to comply could result in monetary penalties and legal action against directors and officers. In addition, failure to comply with federal disclosure requirements following a breach could lead to secondary market liability.^3,4

Legal cases are already happening in the United States, where there are increasing attempts to hold directors and officers liable for the impacts of cyber incidents on companies and their shareholders. For example, in 2023, the U.S. Securities and Exchange Commission (SEC) charged software company SolarWinds and its Chief Information Security Officer (CISO) for fraud and internal control failures relating to a cyberattack. This marked the first time the SEC brought charges against a company’s CISO in connection with a cyberattack. While there have yet to be cybersecurity-related lawsuits against directors and officers in Canada, legal observers say that may not be the case forever, as laws may “continue to expand fiduciary and standard of care duties for senior management and boards.”^5,6

Preventing cyberattacks from becoming legal issues

With the ever-changing legal and cyber landscape, the pressure is on directors and officers to ensure their organization is protected from cyber threats, while ensuring they (as individuals) are protected.

To mitigate risks, directors and officers must first familiarize themselves with all regulatory guidelines to protect their company from cyberattacks, as well as potential legal and financial consequences of cyberattacks.^7,8

Aided by ongoing training and education, directors and officers are encouraged have a comprehensive understanding of evolving cybersecurity trends and threats and how their company would respond. Since many boards have knowledge gaps when it comes to cyber, companies can consider recruiting directors with professional cybersecurity and risk management experience.^9,10

As threats evolve, directors and officers are also advised to regularly update their organizations’ risk management frameworks to identify and manage new risks. In addition, they should review and practise their incident response plans (well-documented plans that cover how to detect, respond to, and recover from cyber incidents).¹¹

Another important piece in the cyber-protection puzzle is Directors & Officers (D&O) insurance. This type of insurance is designed to help protect individuals from personal losses stemming from lawsuits alleging a breach of duty. Sovereign Secure Pro, for example, offers comprehensive, competitive coverage designed to support the new and emerging risks to Canadian businesses. As cyber and legal risks become more complex, being prepared is an organization’s best defence.

Sources

^1,5 Pallett Valo LLP, “Not Just a Cyber Attack: Evolving Issues for Director and Officer Liability in the US and Canada,” April 2024

^2,11 Torys, “Director and officer liability for cybersecurity breaches in Canada and the U.S.,” Spring 2022

³ Baker McKenzie, “Penalties for Non-compliance,” Dec. 26, 2023

^4,7 Canadian Insurance Law, “Cyber Insurance and D&O Liability,” Sept. 3, 2019

^6,8 Forbes, “SEC Charges CISO With Fraud In Landmark Cybersecurity Case,” Nov. 16, 2023

⁹ Business Day, “The new face of Corporate Governance: Why boards need to prioritize cybersecurity training,” Oct. 25, 2023

¹⁰  CSO: “How much cybersecurity expertise does a board need?” Oct. 25, 2023