Officer and director liability for cybersecurity breaches: Canadian implications of the SolarWinds case

March 19, 2024 | David Schnurr, David Krebs, Jayme Millar

Facts

With the continued prevalence of cybersecurity threats and the many times associated consequences of business interruption, reputational damage, personal data breaches, disclosure of confidential and proprietary information, as well as loss of revenue, it comes as no surprise that cybersecurity must be top of mind for Canadian business leaders and board members.

A recent case from the U.S. is instructive on both sides of the border as it relates to director and officer liability for failure to appropriately address cybersecurity risks.

In January 2024, SolarWinds Corporation (“SolarWinds”), a U.S. company, filed a motion to dismiss the charges brought by the Securities and Exchange Commission (“SEC”) in October 2023 against SolarWinds and its Chief Information Security Officer (“CISO”), Timothy Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. SolarWinds, which provides IT service management software to a myriad of entities, including the US Treasury Department and the US Department of Homeland Security, was the target of a massive cyberattack in 2020.

The SEC alleges that, from October 2018, SolarWinds and Brown knowingly defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. Specifically, SolarWinds only publicly disclosed generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices and the elevated risks the company faced at the same time. The SEC further alleges that Brown, knowing these deficiencies, failed to resolve the issues or sufficiently raise them further within the company, resulting in SolarWinds being unable to provide reasonable assurances that its products were adequately protected. Among other penalties, the SEC is also seeking to permanently prohibit Brown from acting as a director or officer in any public company. SolarWinds rebuts the SEC complaint, arguing that the disclosures the SEC is suggesting would both be impractical and harmful for corporations as it would provide a roadmap for future attackers.

This case  represents the first time the SEC has charged a CISO with fraud, underscoring the growing importance of cybersecurity in not only business operations but also in securities regulations. Namely, the SEC requires companies to: (1) disclose any material cybersecurity incident; (2) disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats; and (3) describe the board of directors’ oversight and management’s role of these processes.

Canadian Implications

As in the United States, Canadian directors and officers generally enjoy limited liability from their actions on behalf of a corporation. However, common law and statutes expose these individuals to liability in certain instances. Specifically, directors and officers owe a fiduciary duty and duty of care to the corporation, which includes having sufficient cybersecurity oversight and mitigation processes. Although there has yet to be a case in Canada assigning personal liability to a director or officer for a cybersecurity incident, it is possible: if a director or officer causes harm to a corporation through a negligent handling of cybersecurity matters (for example, failing at the minimum standards required to assess and address the risks to the business posed by lacking cybersecurity) such that they breach their duties, shareholders and other stakeholders can pursue a derivative action on behalf of the corporation. Further, directors and officers could be held liable for misrepresentations in a corporation’s disclosures, including disclosures relating to cybersecurity matters.

Action Items/Preventative Measures

The SolarWinds case underscores the importance of Canadian officers and directors taking preventative measures for cybersecurity matters. Beyond sufficiently preparing the corporation for cybersecurity incidents, taking proactive steps (such as developing, implementing, and overseeing a robust cybersecurity regime, ensuring there is sufficient expertise at key levels of the organization as well as resources to support the implementation of the program, thoroughly reviewing public disclosures to ensure that there are no misrepresentations or omissions, especially relating to cybersecurity practices, reviewing insurance coverages and promptly disclosing material cybersecurity incidents) may help provide a due diligence defence for officers and directors to shield them from personal liability.

Should you have any further questions or concerns, please feel free to reach out to a member of Miller Thomson’s Privacy, Data Protection and Cybersecurity team.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at [email protected].

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting [email protected].