Is guarding against the modern risk of a cyber-attack part of the due diligence expected of a diligent and prudent officer and director?
Can directors and management of a company be personally liable for a cybersecurity attack on their watch? Recent charges filed by the U.S. Securities and Exchange Commission (“SEC”) against a company and its Chief Information Security Officer (“CISO”) suggest that that the answer may be “yes”.
In October 2023, the SEC filed civil charges against SolarWinds Corporation (“SolarWinds”), a US company providing IT service management software, as well as its CISO for fraud and internal control failures relating to a 2020 cyberattack. This marks the first time the SEC has brought charges against a company’s CISO in connection with a cybersecurity incident. In its complaint, the SEC alleged that SolarWinds and the CISO misled their investors about the company’s cybersecurity practices, failed to disclose known risks, and inadequately addressed those known risks to prevent and detect a potential attack. Public disclosures and risk factors – particularly those found in prospectuses, financial statements, management information circulars, press releases, and annual information forms – are ultimately the responsibility of the Board, creating potential exposure to a host of claimants including commissions, shareholders and other corporate stakeholders.
For its part, SolarWinds has responded by calling the charges “unfounded” and “inexplicable”, filing for a dismissal of the charges.
While the SEC case against SolarWinds case may be largely motivated by alleged misrepresentations by the company about the extent of a known specific cyber risk, the outcome of the case could have wider implications: directors and officers may be liable for adverse cybersecurity events if they do not take adequate steps to mitigate the risk and in particular if they attempt to play down a known risk.
The SolarWinds matter follows on other U.S. decisions that observers anticipate having an influence on Canadian law such as In re McDonald’s Corporation Stockholder Derivative Litigation (which we have previously written about – see https://www.pallettvalo.com/whats-trending/why-canadian-officers-and-boards-should-follow-a-u-s-decision-on-an-officers-duty-of-oversight/) that continue to expand fiduciary and standard of care duties for senior management and boards (given director duties tend to be very similar in both jurisdictions – particularly under Canadian statutes such as the Canada Business Corporations Act and the (Ontario) Business Corporations Act).
With the ever-growing risk of cyberattacks, it becomes increasingly likely that adverse cybersecurity events will affect the financial performance of a company, including through significant reputational harm. If a director or officer is seen to have failed in their duties to prevent a cyberattack, or more egregiously, has misrepresented the company’s position with regard to them, this could realistically lead to harm for a corporation which, in turn, opens boards and senior management up to a host of regulatory (e.g. commission enforcement) or secondary market (i.e. shareholder class action) liability.
Regardless of the specific outcome in SolarWinds, the very fact that charges were even brought underscores the need for directors and officers to heed their statutory duties with extra vigilance. While no Canadian director /officer has yet been the subject of enforcement proceedings related to cybersecurity, the SolarWinds matter shows this may not be the case forever.
Should you have any questions about director and officer liability and how it may impact you, a member of our business law group would be happy to discuss.