Cybersecurity Disclosure …………… No, Not Canadian Specific Guidance

November 28, 2011

 

Here is the Cybersecurity disclosure guidance being provided by the Division of Corporate Finance of the Securities and Exchange Commission.

The good part is they don’t require disclosure that could act as a “roadmap” to infiltrate the registrant’s network security. And, in case you didn’t know your loss exposure, they provided a non-exhaustive list including, 1) repair and remediation costs, 2) incentives to repair relationships with customer or other business partners, 3) increased security protection and training, 4) lost revenue directly from downtime, and lost customers/prospects, 5) liability and other litigation costs, 6) reputational damage with customers and investors, and, 7) financial statement hits (warranty liability, product returns, capitalization of software costs, inventory write-downs.)

As for actual disclosure, the guidance points to specific forms (Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents – see Item 5(a) of Form F-3 and Item 11(a) of Form S-3) and they remind registrants of the materiality clauses (Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9) and the “substantial likelihood that a reasonable investor (note, not reasonable tech geek) would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”

The “materiality” issue is still developing in Canada, and (no surprise) there are conflicting decisions and hotly debated arguments. Here is a recent Ontario Securities Commission case that draws some light on the subject (and here is an older one.)

Issuers do not have present risks “that could apply to any issuer or any offering.”

The key concern is that disclosure decisions must consider “risk” not just loss or actual incidents or threatened attacks. However, as will all disclosure advice, “boilerplate” language will be looked on unfavourably. Registrants need to evaluate their cybersecurity risk considering prior incidents, potential for reoccurrence, experience of competitors and other industry participants, magnitude of potential loss, and adequacy of loss control activities.

A further disclosure requirement is discussion regarding the effectiveness of policies, procedures and controls surrounding cyber incidents and the disclosure process itself.

Cyber Risk is a very new and developing field. Therefore, available guidance is not very specific. This risk will have to be treated like every other business risk. There are good insurance companies and good insurance products available to accept risk transfer of some, but not all, potential cyber losses. But, like every other specialty line of insurance, there is no standard or regulated policy wording or premium calculation. And, to make things more challenging, cybersecurity insurance policies can be of a rare breed of hybrid “first party” and “third party” coverage, with potential for “claims-made” and “occurrence” responses.

Greg Shields is a D&O, Professional Liability, CyberRisk, Employment Practices Liability, Fiduciary Liability, Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first.

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Corruption and Bribery Compliance – Significant Measurable Metric

November 21, 2011

 

Bribery in your organization? Can you picture any one of your employees saying “all my competitors are doing it, so I am forced to grease the wheels just to compete”, or “there is a small chance that my (corrupt) activities will be uncovered, and even if they are uncovered I may or may not be disciplined; but, if I miss my budget for three quarters I will definitely lose my job.”

Canada is not known for its enforcement of corruption laws. In fact, it is a haven for fraudsters specifically because our weak history of enforcement. However, this is changing and your only protection is a documented effort to reduce corruption. There is considerable international political pressure on Canada to make Anti-Corruption and Anti-Bribery a top enforcement priority. The OECD (here) Phase 3 “Report on the Application of the Convention on Combating Bribery of Foreign Public Officials” mentions “enforcement more generally of the Corruption of Foreign Public Officials Act (CFPOA) may be uncertain, due to significant concerns that remain about Canada’s framework for implementing the Convention.” The OECD has been critical of Canada and our legislation because it is limited to “real and substantial” link to Canada, our interpretation of OECD Convention has been too limited, our enforcement has been “too low to be effective, proportionate and dissuasive”, and we have not committed enough resources to the prosecution of cases. According to the report we are on a tight leash and obligated to provide multiple reports on our progress through 2013. Perhaps the best evidence of our future focus is the Niko Resources case (see previous blog post, here,) which came out shortly following this report.

The enforcers of anti-corruption in other countries have a lot of power, and they are willing to exert it. Recently, the US Department of Justice (DOJ) and the UK Serious Fraud Office (SFO) joined forces in the Aluminium Bahrain B.S.C. (Alba) and Alcoa case. (This case has a Canadian spin, but not on the enforcement side, it just happens that one of the individuals recently arrested in London England on corruption charges was a Canadian citizen.) The case originated as a civil suit in 2008 in the US where Alba accused Alcoa, here, of misappropriating “$2 billion in Alba’s payments under supply contracts passed from Bahrain to tiny companies in Singapore, Switzerland, and the Isle of Guernsey, and that some of the money was then used to bribe Bahraini officials involved in granting the contracts.” The DOJ had a stay of prosecution executed in the civil suit to give them time to purse FCPA options.

I am going to hazard a guess that the top stated priority and top action item for most Compliance Officers in Canada is not controlling corruption. If controlling corruption is not a top priority in your organization, then I doubt you are comfortable that you can quickly document a host of “Significant Measureable Metrics” for Anti-Bribery and Anti-Corruption activities. There is not a lot of guidance to Canadian Officers on the subject of CFPOA loss control, but that is where we can learn from our US, UK and Australian counterparts.

The DOJ provides extraordinary information on its anti-corruptions initiatives. This is a key priority for US companies, and there are many examples of loss control initiatives coming out of US companies and their third party service providers. Thomas Fox and Howard Sklar team up in a production called This Week in FCPA, and in one of their recent sessions concentrated on Tone at the Top. They suggest that this is a key issue in FCPA defense and settlement negotiations. Here are seven ideas for Corporate Compliance Officers:

  1. Have CEO author a letter and attach it to the Code of Conduct and send to every employee in every country and region stating that breaching this Code of Conduct will not be tolerated;
  2. Have CEO record a video message to be played at every compliance training session, stating that breaching the Code of Conduct will not be tolerated;
  3. Have CEO send a quarterly email to every direct report reminding them of the Code of Conduct and that she/he will hold them to that Code and she/he expects them to disseminate this same message to each of their direct reports,
  4. Put compliance metrics in employee score cards, including the sales team,
  5. Train CEO to use the six most powerful words in compliance, “What does compliance think about that?” whenever she/he hears of a new market, new idea, new product, new effort, new program – every time, (and document this action),
  6. Everyone in the organization needs training but the workforce has to be grouped by risk category and the highest priority groups should get “in-person” training specific to their function and to the company’s Codes, Policies and Procedures that are in-force in that organization; and the underlying law (and document this action),
  7. Every person in the organization needs to know their internal alternative reporting options for conduct that breaches the codes and policies and procedures,
  8. Incorporate Audit Rights, (see here for more info on Audit Rights) into every contract; the DOJ demands that audit rights exist in every high-risk (anyone who is spending your money) third party contracts, (but there must be evidence of these rights being exercised).

This is very simple, but almost every good loss control technique is simple (see previous blog post “Risk Management is in the Details”). But I recognize this is much easier to say than do. CEO’s might not be the easiest people to train, but they will be the one in the spotlight of the RCMP / SFO / DOJ, and there are many examples (including the Canadian one) of the ultimate punishment being directly related to the value of policies, procedures and related actions of the company and its executives at the time the corruption and/or investigation became known to the executive team.

The above comments will add to the “measureable metric” list and improve the overall compliance evaluation and ultimately reduce the fine or penalty and other loss from an FCPA / CFPOA / UK Bribery Enforcement Action. However, a message is not enough, there must be Evidence of Action. Compliance has to be an integrated business force, not an outside nuisance.

Greg Shields is a Directors’ and Officers’ Liability, Professional Liability, Employment Practices Liability, Fiduciary Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first.

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.

 


No Defence Costs from a D&O Policy

November 11, 2011

It is common in Canada that Defence Costs under a D&O policy will stop upon exhaustion of the limit of liability. There is the exception for Quebec where defence costs are outside of the limit of liability, but even Quebec risk does not guarantee unlimited defence costs. If there is any question regarding “jurisdiction” (ie. any part of the plaintiff, defendant, wrongful act, or policy construction was outside of Quebec) you can be sure the insurer will attempt to push the case into another jurisdiction that does provide defence costs within the limit of liability. You can also be sure that the insurer will regularly apply to the court to relieve them from the burden of defence costs based on, 1) their offer to settle having been made or 2) the policy limits being exhausted or
potentially exhausted by indemnity. There is no rule as to how much the insurer will be responsible for above the limit of liability, but the insurer will eventually be relieved from their defence obligations.

The concerning new precedent (here – provided by Kevin LaCroix, OakBridge Insurance Services and his The D&O Diary) is out of the New Zealand High Court (Auckland Registry) in a case where a real estate development and investment firm went bankrupt. The liquidators and receivers made a charge against the D&O policy limits of liability because their claim are “for a sum significantly greater than the amount of cover available under the D&O policy,’ and the insurer is “bound to keep the insurance fund intact.” The court agreed, and directors are left to fund their own defence of a number of large civil and criminal lawsuits.

If you are a Canadian director or officer, with no exposure to New Zealand, this case should not keep you up at night. But it should not be ignored. It is a great example of the risk of erosion or complete exhaustion of large limits of liability on defence costs. It is great example of the need to restrict some or all of the D&O limits to specific “loss.” Broad policies are not in the best interest of every insured. The conflicts between the various insured’s should be front and centre, not hidden in a hundred pages of insurance contract. Priorities for the insurance coverage should be balanced over the interests of each insured, and the priorities should be established long before the contract language is negotiated. And it is warning that jurisdictional differences should be examined to determine the need for locally issued policies, but also that “legal risk” is present in almost every country in the World due to
underdeveloped case law regarding D&O insurance.

Kevin LaCroix offers an explanation of the case, details on “choice of law provision”, and broad “discussion” commentary in his blog post, here.

Greg Shields is a D&O, Professional Liability, Employment Practices Liability, Fiduciary Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first.

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.

 


Mitchell Sandham at RGD DesignThinkers Conference

November 7, 2011

Mitchell Sandham attended the DesignThinkers conference last week to discuss the insurance program in place for RGD members.  We had a lot of visitors during the conference and the program is being well received.  It is one of the premier events for graphic designers in Canada.  Contact Ryan Mitchell at Mitchell Sandham Insurance Brokers for more information regarding Professional Liability/Errors & Omissions Liability, Commercial General Liability and Property Insurance at rmitchell@mitchellsandham.com or (416)862-5620.


Follow

Get every new post delivered to your Inbox.