The cybersecurity threat landscape is currently at a time when new threats are continuing to emerge, not the least of which are risks related to the use of artificial intelligence (AI), specifically generative AI. In response, there is increasing pressure on regulators to tighten rules and transparency around cybersecurity reporting and disclosures, which in turn highlights the importance of boards of directors taking charge and being proactive on the subject. The below article puts into context new threats potentially posed by the use of AI, the overall regulatory landscape, and ways in which boards can arm themselves to protect their organizations.

AI and cybersecurity

NSA Cybersecurity director has recently called AI a "game-changing technology" with respect to cybersecurity. Generative AI is a type of AI that generates text and other content from a user's prompts. These systems rely on so-called "large language models," which are models trained on large amounts of data in order to then generate human language-like communications.

It is not a stretch to state that these tools can be used to more effectively write and distribute malware and automate attacks. Phishing and social engineering attacks could also be conducted more effectively if language, voice and images could be manipulated to fool victims into a host of fraudulent schemes.

This is an emerging threat that needs to be monitored, understood, and mitigated. It is also a prime example of why senior management and boards need to stay current on this threat landscape.

Cyber reporting obligations: Recent developments

The mandatory reporting of privacy breaches has been in place in Canada in the private sector since 2018 (Alberta has had mandatory reporting since 2010 and Quebec since 2022). In contrast, mandatory reporting of cybersecurity incidents and proactive disclosures around an organization's cybersecurity posture are not found outside of specific rules the financial sector thus far.

However, this is quickly changing. In the United States, the Securities and Exchange Commission (SEC) has proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity in order to keep investors better informed about a company's cybersecurity risk management, strategy and governance. The amendments would require current reporting about cybersecurity incidents, periodic reporting about the policies and procedures in place to identify and manage cybersecurity risks, and annual disclosures of the board of director's cybersecurity expertise.

Canada has quite recently proposed changes to its law that will impose greater responsibility on corporate boards when it comes to cybersecurity and privacy. Bill C-26, An Act respecting cyber security, and amending the Telecommunications Act proposes new cybersecurity requirements that protect vital systems and services pertinent to Canada's security and public safety. Additionally, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act aims to strengthen Canada's private sector privacy law, create new rules for the development of artificial intelligence and continue advancing the implementation of Canada's Digital Charter.

Given these proposed changes, organizations know that now is the time to act.

The role of the board

Be aware of cybersecurity threats faced by your organization

Key stakeholders and regulators expect a board to be aware of key cyber risks affecting the organization. For example, recent developments indicate that Boards need to understand the cyber risks posed by the use of artificial intelligence. Boards should also be able to understand what tools will be available, including AI-powered tools, to combat cyber risk. These technologies move fast and so does the risk landscape, which is ever changing.

Boards should ask:

  • Who are the main threat actors and what are their motives?
  • What current technologies are being employed by attackers?
  • What is the potential business impact?
  • What are the current protections that are known to prevent or mitigate these risks?
  • What kind of internal training is required for which level of the organization?
  • What teams are required at what level of expertise?

A board should stay informed about the evolving threat landscape, emerging cyberattack trends, and vulnerabilities in the business. This includes understanding both technical and organizational vulnerabilities and gaps.

To remain knowledgeable and effective in their oversight, a board should engage with cybersecurity experts and consider getting an unbiased, third party assessment of the organization's cybersecurity infrastructure and processes. This assessment should also evaluate third party risks associated with suppliers, vendors and business partners, as much of an organization's exposure to risk lies with them.

Develop a common language

A board of directors should develop a simple, common language for discussing the complex issues of cyber risks. By shifting the conversation from highly technical and ambiguous terms to ones that businesses can understand, board members can more effectively manage their financial exposure and cybersecurity risk through enhanced understanding.

Developing a common language will allow board members and operational leaders to understand the risk and impacts of potential cybersecurity attacks in plain language, which in turn will align the discussion between them and other members in the organization.

Increase cybersecurity expertise of the board

Another area of board oversight is to ensure that management has the requisite skills and individuals for the appropriate job, which includes executive positions at the top. As such, it is important to have board member(s) with at least some technical expertise and cyber experience.

The board should also foster relationships with cybersecurity experts within the organization, in order to facilitate a streamlined response to a cyber attack or breach. These relationships should be in place in case there is an urgent need for the board to weigh in on a cyber security situation, as a cyber incident is not the time to build the bridge between the board and cybersecurity experts.

Establish a cybersecurity strategy built on a resilient program and effective incident response plan

A board should establish a cyber strategy and direct management to build a robust cyber security program. With quickly evolving and not so well understood threats posed by generative AI, enterprise-wide security solutions that establish clear policies, guidelines, monitoring mechanisms and procedures to govern cybersecurity practices should be reviewed and implemented. This includes training at all levels of the organization as well as establishing a clear incident response plan.

Boards should consider requiring quarterly or bi-annual reporting on the effectiveness of the cybersecurity program. Boards are responsible for monitoring and assessing their cybersecurity systems and should receive regular reports on metrics. This includes the effectiveness of the security controls, and performance of cyberattack simulations (tabletop exercises) that are useful for the board to identify vulnerabilities and measure the resilience of the system.

Tabletop exercises should be performed regularly at the management and board level, and should be able to pressure-test the controls. Any gaps or areas for improvement should then be addressed in changes to policies or procedures.

Staying ahead of the curve

Data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take proactive steps to reduce and manage risk can have serious financial consequences, including reputational loss and litigation costs.

Trends in the United States are often an indicator of what might be coming down the pike in Canada, and many Canadian companies will certainly be impacted by the proposed SEC Rules. For these reasons, a board of directors should make an effort to limit liability for insufficient or ineffective cybersecurity practices by taking steps to remedy deficiencies and adopt leading cybersecurity practices to stay ahead of the curve.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.