Page 14 - CCCA61_2012
P. 14
CCCA_V6No1_Dept-CorpGovernance-FIN_CCCA_V5No3_Dept-CorpGovernance-V1.qxd 2/13/12 11:49 PM Page 14 Corporate Governance Cyber attack! How to handle the latest compliance challenge. By Duncan Card yber security preparedness and Cmonitoring is one of the most serious issues to recently emerge in the fast-changing landscape of corporate governance. The increasing dependence of business on internet-based communications and fully matured mandate to co-ordinate for disclosing cyber security risks and online computing resources and the public, private and international entities incidents (October 13/11 — CF adoption of web-enabled intelligent infra- to secure both U.S. cyberspace and Disclosure Guidance: Topic No. 2). As the structure are heightening the risk of cyber “America’s cyber assets” (www.dhs.gov/ SEC points out, a cyber attack could theft, sabotage, espionage, and even cyber xabout/structure/editorial_0839.shtm). directly affect the ability of a registrant to attack, creating more headaches for those Public Safety Canada has established comply with many other existing legal charged with corporate governance and the Canadian Cyber Incident Response and regulatory disclosure and reporting compliance duties. Centre (CCIRC, www.publicsafety.gc.ca/ requirements, for example, when a cyber Last October, the U.S. Securities & prg/em/ccirc/index-eng.aspx) and pub- attack corrupts or sabotages financial Exchange Commission (SEC) elevated lished Canada's “Cyber Security Strategy” information and reports, or otherwise the issue of cyber security to a matter of as part of Canada's National Strategy and prevents a registrant’s ability to record, corporate compliance for publicly traded Action Plan for Critical Infrastructure. process, summarize and report required corporations in the United States. And In the private sector, increasing duties of SEC information. although the SEC’s guidance for disclos- personal information protection, rising In addition to the SEC’s recommended ing cyber security risks and incidents is domestic and international corporate espi- guidelines (see sidebar), Canadian compli- not a mandatory regulatory requirement, onage, and fears of direct attacks against ance officers (and their legal advisers) it signals that corporate governance offi- corporate IT systems have put the spotlight might also wish to consider the following cers and corporate counsel on both sides on cyber security governance. Since 2006, cyber security governance best practices: of the border should add cyber security dozens of cyber security attacks have legal duties analysis, preparedness, moni- been publicly reported, including the 2011 • identify (designate) the corporate officer toring and possible reporting to their list data breaches at both Sony’s Playstation who is responsible for your enterprise’s of compliance undertakings. Network and Citigroup’s unauthorized cyber security, whether it is the chief com- In the public sector, both the U.S. and access into 200,000 customer accounts. pliance officer, the CIO or otherwise; Canada have moved quickly to identify These reported cyber attacks are widely • ascertain the laws, regulations, contracts, the cyber security of government and considered to be only the tip of a very technical standards or other industrial corporate infrastructure as matters of both large and unpublicized “cyber security obligations that impose confidentiality, governance and national security con- breach iceberg.” privacy, data protection, information cern. In 2009, the U.S. Secretary of Recently, the SEC decided to make the security, or records integrity duties on Defense directed the Commander of U.S. common law duty of governance supervi- your enterprise (including those that Strategic Command to establish The sion over cyber security preparedness, may be related to: the regulation of a United States Cyber Command; by monitoring and reporting much clearer particular industry; income tax; privacy 2010, the National Cyber Security for publicly traded corporations. In and protection of personal information; ISTOCKPHOTO Division of Homeland Security had a October 2011, it issued its first guidance personal health records security; industry 14 CCCA Canadian Corporate Counsel Association SPRING 2012
