Cybersecurity Disclosure …………… No, Not Canadian Specific Guidance

November 28, 2011

 

Here is the Cybersecurity disclosure guidance being provided by the Division of Corporate Finance of the Securities and Exchange Commission.

The good part is they don’t require disclosure that could act as a “roadmap” to infiltrate the registrant’s network security. And, in case you didn’t know your loss exposure, they provided a non-exhaustive list including, 1) repair and remediation costs, 2) incentives to repair relationships with customer or other business partners, 3) increased security protection and training, 4) lost revenue directly from downtime, and lost customers/prospects, 5) liability and other litigation costs, 6) reputational damage with customers and investors, and, 7) financial statement hits (warranty liability, product returns, capitalization of software costs, inventory write-downs.)

As for actual disclosure, the guidance points to specific forms (Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents – see Item 5(a) of Form F-3 and Item 11(a) of Form S-3) and they remind registrants of the materiality clauses (Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9) and the “substantial likelihood that a reasonable investor (note, not reasonable tech geek) would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”

The “materiality” issue is still developing in Canada, and (no surprise) there are conflicting decisions and hotly debated arguments. Here is a recent Ontario Securities Commission case that draws some light on the subject (and here is an older one.)

Issuers do not have present risks “that could apply to any issuer or any offering.”

The key concern is that disclosure decisions must consider “risk” not just loss or actual incidents or threatened attacks. However, as will all disclosure advice, “boilerplate” language will be looked on unfavourably. Registrants need to evaluate their cybersecurity risk considering prior incidents, potential for reoccurrence, experience of competitors and other industry participants, magnitude of potential loss, and adequacy of loss control activities.

A further disclosure requirement is discussion regarding the effectiveness of policies, procedures and controls surrounding cyber incidents and the disclosure process itself.

Cyber Risk is a very new and developing field. Therefore, available guidance is not very specific. This risk will have to be treated like every other business risk. There are good insurance companies and good insurance products available to accept risk transfer of some, but not all, potential cyber losses. But, like every other specialty line of insurance, there is no standard or regulated policy wording or premium calculation. And, to make things more challenging, cybersecurity insurance policies can be of a rare breed of hybrid “first party” and “third party” coverage, with potential for “claims-made” and “occurrence” responses.

Greg Shields is a D&O, Professional Liability, CyberRisk, Employment Practices Liability, Fiduciary Liability, Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first.

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.

Advertisements

Skip Arbitration, Go Straight to Class Action

April 12, 2011

The Supreme Court of Canada has released a new decision in Seidel v. TELUS Communications, here, that will be followed closely by Canadian class action plaintiff lawyers. If you don’t want to read the whole case, Osler has released a paper, here, by Jennifer Dolman and Matthew Thompson, discussing the decision, some of the SCC precedent cases like Dell v Union des consommateurs, here, and Rogers v Muroff, here, the conflicting precedent, the narrow 5-4 decision and dissenting opinion with the court,  and the impact. The most interesting quote from this article “be prepared for an increased number of claims proceeding to the court system.” Interestingly, this paper makes a specific reference to franchisors and generous interpretation of the Arthur Wishart (Franchise Disclosure) Act, 2000 favouring franchisees.

This Supreme Court decision will put smiles on the faces of plaintiff and defence lawyers, but it will also help identify existing and new risks that must be managed by corporations, their management, directors, shareholders, and their insurers. 

If you still don’t want to read the case or paper, here is my short summary:

Plaintiff (P) entered into a consumer contract for cellular service and later alleged false representation in how the defendant (D) calculated air time for billing. The contract included “private and confidential” mediation and arbitration and waiver of right to commence or participate in a class action. P sought certification of a class action; D was denied its application for a stay on proceedings by the trial judge but Court of Appeal stayed P’s action and sent the case to arbitration. P appealed and The Supreme Court of Canada (SCC) lifted the stay of the class action but only in relation to claims regarding Section 172 of the Business Practices and Consumer Protection Act, S.B.C. 2004, c. 2 (the BPCPA), saying this legislation “should be interpreted generously in favour of consumers”, supporting a “public interest plaintiff” and encouraging “private enforcement in the public interest” through a “well-publicized court action to promote adherence to consumer standards.”

The conflict seems obvious. The SCC suggested they did not negate their decisions in Dell, Rogers and others, which supported arbitration as a means to avoid lawsuits. In par 41 of the decision they explain by suggesting “the outcome turned on the terms of the Quebec legislation” and “contained no provision similar to s. 172 of the BPCPA.”

This court was specifically looking for “public denunciation” and notoriety that could not have been achieved through private and confidential arbitration.

The risk management spin:

If you have used or expect to use arbitration clauses to quash any rebellion by clients, you better hope you are not subject to any legislation where indirect statutory interpretation could suggest that such legislation was “enacted to encourage private enforcement in the public interest” and intended to “shine a spotlight on allegations of shabby corporate conduct.”

Good luck avoiding such legislation, because this case dealt  directly with section 172 of the BPCPA, but cited cases reference the Copyright Act, the Labour Code, the Insurance Act, and others.

Continue to use the arbitration and mediation provisions (as well as “hold-harmless” and “limitation of liability” clauses) in your customer agreements, but also invest in a corporate communication system (CRM) that will help identify and classify customer claims on a real time basis. Also create policies and procedures to deal with individual consumers before they become sufficiently upset to take their complaints to the social networks. Today, versus even two years ago, consumers have exponentially greater ability to reach similarly-minded individuals, and class-action remedy is far more popular. Data-mining in twitter, facebook, myspace, and the broader blog-world is a reality, so use it to your advantage, because it is impossible to determine which complaints will go viral, and no containment strategy can move as fast as a viral complaint.

As for insurance, don’t rely on anything you currently have, unless you have recently “stress-tested” your program for this exact risk exposure.

If the consumer lawsuit names individual directors and officers, the D&O policy might respond to the defence costs of the individuals, excess of the corporate retention (if the corporation is financially and legally able to indemnify the individuals.) But it won’t likely respond to the costs of the corporate entity because a consumer complaint would not be classified as a “securities claim”, which is where most “entity coverage” under a D&O policy can be found. Some private company management liability policies provide entity coverage that is not limited to a securities claim, but the exclusions (which are also hidden in the definition of Loss) typically exclude “fines or penalties”, costs of remedial relief, or any circumstance or situation existing prior to the inception of the policy, and many others.

If a lawsuit of this nature actually gets through the definitions and exclusions in the policy, most D&O and Management Liability policies require that an individual director or officer be continuously named in the case in order for the policy to respond. And the double edge sword to this case is that if the lawsuit is covered by the policy, there is only one policy limit of liability, and exhaustion of that limit based on loss of the corporation entity, could ultimately be to the detriment of individual directors and officers for their downstream personal liability.

The Commercial General Liability policy would not typically respond to claims brought with regards to consumer protection from a consumer contract or agreement because there is no underlying “bodily injury” or “property damage” to trigger the policy.

A Professional Liability policy (aka Errors and Omissions (E&O)) might respond, but there is no standard or regulated wording in this product, so the policy will have to be examined closely. Also, E&O is more commonly purchased in the commercial products industry (where arbitration provisions are more likely to survive), and less often purchased in the retail consumer products industry.

There comments are not meant as fear-mongering. The reality is that the SCC did not allow all of the P’s allegations to go through to private litigation, and the decision is not a certification of a class proceeding. However, whenever a SCC decision goes in favour of an individual P seeking class action status and remedy that includes disgorging of profits, it presents financial and reputational risk exposures that cannot be ignored by any company of any size.

Greg Shields, Partner, Mitchell Sandham Insurance Brokers, 416 862-5626, gshields@mitchellsandham.com  

CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making and insurance or legal decision. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must seek the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Reputational Risk

October 1, 2010

 

Economist Intelligence Unit, here, a division of The Economist, here, conducted a survey of 269 business executives representing 19 industries, and the result was Reputational Risk was the top of the list of 13 available categories, and ahead of Regulatory Risk, Human capital Risk, IT Network Risk, Market Risk, and Credit Risk, see here. The question was raised, is Reputational Risk a standalone category or a consequence of other risks, and the respondents were evenly split.  Supporters of ‘consequence’ side may include risk managers who have made great efforts to structure their Governance, Risk Management, and Compliance (GRC) systems, identified their primary risks and attempted to quantify the costs of each, but are ultimately frustrated with the challenges presented by Reputational Risk. The supporters of Reputational Risk as a ‘standalone category’ may include risk managers in industries where primary risks are very hard to identify and quantify. Though Reputation was considered “one of the most important corporate assets”, a surprising revelation from this survey was that failures in Regulatory Risk and Legal Risk management were considered the greatest threat Reputation, yet environmental breaches were considered “an unlikely source of reputational damage.” Now take the survey into context, it was published in 2005. I barely recall ‘social media’ being uttered in 2005, but today, a simple twitter suggestion of bed-bugs can reach millions of people and keep hotel patrons and movie-goers away in droves. I have not been able to find a recent recreation of this study, but I would suggest that even if a 2010 survey was available (and I’m sure it is) it might be reliable for a period of only months, not years.

My support (yes it is 2010 support, and I cannot point to a written log of such support in 2005) would go to the ‘standalone category’. Damage to reputation is a very real secondary risk to every primary risk, however, since is can also be a direct loss, with no primary risk cause, the risk has to have its own policies, procedures, measurements (prioritize if not quantify) and unique solutions. This means, crisis management plans, dedicated ‘category owners’, internal (separate from) external communication plans, oversight/policing of Reputational Risk Management component of every divisional/category Risk Committee, involvement in executive level Reputation Planning (including establishment, maintenance and monitoring.)

It is largely agreed that Reputational Risk is difficult to quantify. With it also, 1) being difficult to identify the source of risk, 2) having a financial cost (potentially) much greater than most primary or corresponding risks, 3) needing the attention of every employee in the organization, and 4)  being one of the top concerns of corporate executives, it needs to be given a separate category and very serious attention.

Greg Shields, Partner, Mitchell Sandham Insurance Brokers, 416 862-5626, gshields@mitchellsandham.com

CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making and insurance or legal decision. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must seek the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.