Page 15 - CCCA61_2012
P. 15
CCCA_V6No1_Dept-CorpGovernance-FIN_CCCA_V5No3_Dept-CorpGovernance-V1.qxd 2/13/12 11:51 PM Page 15 Corporate Governance compliance standards, such as the pay- (both internal and external possibly to service provider. ment card industry’s Data Security insurers, regulators affected third parties, Indeed, the outsourcing of the day-to- Standards; financial institution customer etc.); and, day operational duties of any enterprise’s data protection and security, public com- • ascertain whether your enterprise has IT operation or business process to a third pany regulations, whether regulatory or cyber security breach “lessons learned” party service provider does not discharge exchange related); programs, which may include root cause the executive officers or the board from • determine the extent to which any pro- analysis, continuous improvement, a their continuing governance duties of tected confidential or private informa- quality assurance program, ongoing IT oversight and supervision. Since corporate tion or other data (records) is vulnerable systems upgrades, as well as management governance duties concerning cyber secu- to any cyber security risk whatsoever; education policies and programs. rity (or otherwise) do not evaporate upon • ascertain whether the enterprise has such managed service transactions, all of used reasonable and adequate methods It is also important to remember that the governance obligations for cyber secu- to protect the security, veracity and com- while oversight for internal IT systems can rity that were previously discharged direct- pleteness of such information, especially be conducted as a matter of internal man- ly through internal management channels from cyber security risk, including the agement practice, where any part of a must continue to be overseen and super- effectiveness of those technical and busi- company’s IT infrastructure is provided by vised by virtue of the contractual rights ness systems, ongoing testing, security third parties (including outsourcing, that should be set out in the relevant serv- monitoring, reliance upon subject mat- shared services, inter-company manage- ices agreement. ter experts, industry benchmark com- ment services, SaaS, or cloud computing) parisons, third party audit assessments, the execution of those services (including Duncan Card is a partner at Bennett Jones and periodic compliance verifications; cyber security) must be overseen and LLP. One of Canada's leading technology • ascertain whether your enterprise has a supervised through the related service lawyers, he frequently writes and lectures on cyber security breach monitoring system, contract. The officers and directors of a topics related to his IT procurement, outsourc- an incident record system, response esca- corporation cannot delegate that ongoing ing, cybersecurity and IT (including ERP) lation, and incident reporting protocol governance responsibility to a third party transactions practice. SEC guidance on cyber security The SEC’s cyber security guidance ad- account all relevant information; factors that make an investment in the vances, in part, the following preparedness 3. The SEC expects registrants to evaluate company speculative or risky; and disclosure principles that remind regis- their cyber security risks and take into 5. Registrants should consider the adequa- trants of their continuing disclosure obliga- account all available relevant informa- cy of preventative actions taken to tions in a cyber security context: tion, including prior cyber incidents and reduce cyber security risks in the context the severity and frequency of those inci- of the industry in which they operate; 1. Registrants should consider the extent dents. As part of this evaluation, regis- 6. If any cyber attacks (and perhaps other to which a number of existing disclosure trants should consider the probability of known cyber risks) have prompted the requirements may require them to cyber incidents occurring and the quan- registrant to materially increase its cyber disclose cyber security risks and cyber titative and qualitative magnitude of security protection expenditures, the incidents; those risks, including the potential costs registrant should disclose those expen- 2. Registrants should review, on an ongo- and other consequences resulting from ditures; and, ing basis, the adequacy of their disclo- misappropriation of assets or sensitive 7. Pending material legal proceedings relat- sure processes and materials relating to information, corruption of data or opera- ed to a cyber incident may require disclo- cyber security risks and cyber incidents. tional disruption; sure, for example when a significant Registrants are expected to evaluate 4. Cyber incident risks should be disclosed if amount of customer information is stolen their cyber security risks and take into those risks are among the most significant and material litigation is pending. PRINTEMPS 2012 CCCA Canadian Corporate Counsel Association 15
