Hack attacks hit home: ‘The kind of thing that CEOs get fired for’

Adam Kardash

Feb 2, 2015

Theresa Tedesco

Financial Post, National Post


The growing prevalence of cyber risk in the corporate world has breached the walls of Canada’s boardrooms, with directors as likely to see their company’s data as a ticking time bomb as much as an asset. With a single hack attack, a company can see its damage-control costs spin out of control and its customer goodwill shattered. It could devastate company morale, put the company at risk of lawsuits, and shear a company’s stock price.

“There literally is not a client across all sectors for whom this is not a matter of major concern or a priority,” said Adam Kardash, a partner at the Toronto law firm Osler, Hoskin & Harcourt LLP who specializes in privacy and data management. “It has definitely hit the board level.”

Hack attacks have forced the resignations of CEOs at prominent companies, such as Target. And for weeks, Sony Corp.’s world was turned upside down after a mysterious group of blackmailers assaulted it with a hacking attack, purportedly linked to the release of The Interview movie.

“Where companies are deemed not to have taken the appropriate steps that are considered reasonable to safeguard the data, there will be exposure,” explained Mr. Kardash.

With so much at stake, there’s a “huge shift toward data governance” underway, explained Mr. Kardash, which has meant elevating oversight of digital assets from the IT department and into the boardroom as part of the enterprise risk-management framework. Boards are figuring out that oversight of cyber security is now as much a part of their fiduciary duty as the accounting on the balance sheet. In the post-Sarbanes Oxley era of financial certifications, boards are seeking out qualified chief information officers as eagerly as they sought out top-notch accountants and financial experts after the Enron scandal.

Until now, most of the breaches have involved customer data, credit card information, but security experts warn of total shutdown of operations. Such attacks could be potentially disastrous because of the broader impact they can have, such as potentially destabilizing financial markets. The breadth and sophistication has moved from the garden-variety customer data to cyber extortion and state-sponsored attacks — considered to be the motive behind December’s Sony attacks.

To read the full article, click here.