Whether it be in the context of the US election, Wikileaks and allegations of Russian skulduggery, or the mild inconvenience of a nation-wide Netflix outage, cybersecurity or “the cyber” as Donald Trump would say, is front and center in the news these days. The not-so coveted award for the biggest (known) hack to date, however, goes to Yahoo. The only thing more shocking than the magnitude of Yahoo’s 2014 data breach, which exposed the names, email addresses, telephone numbers, dates of birth and passwords of approximately 500 million users, was the two years Yahoo took to detect the breach and notify its impacted customers.
While the regulatory impact of this breach remains to be seen, calls for a Securities and Exchange Commission (SEC) investigation into whether Yahoo failed to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems, are already under way. Yahoo is also the subject of several class-action lawsuits over the intrusion.
The SEC has provided guidance on cybersecurity in the past, directing public companies to disclose risks to cybersecurity as well as disclosure of incidents that have a material impact on the company.
Canadian regulators are also taking notice of this growing threat. As mentioned in our September 2016 Bulletin, the Canadian Securities Administrators (CSA) just released its own Guidance on cybersecurity, outlining several best practices and indicating cybersecurity will be a major focus for them going forward. IIROC President and CEO Andrew Kriegler, while speaking at the recent 2016 Quebec Compliance Conference, also referenced resources IIROC had created to help firms identify and manage cybersecurity risks and threats.
As well, on October 14, 2016, the Government of Canada announced its participation in and endorsement of the G7 Fundamental Elements of Cybersecurity for the Financial Sector Guidelines (Guidelines). The Guidelines outline eight basic elements for a cybersecurity strategy and framework, consistent with guidance previously provided by other Canadian regulators including the CSA, MFDA and IIROC.
While the final regulatory and legal impact to Yahoo remains to be seen, there are certain lessons that can be drawn from the Yahoo case now. For example, cybersecurity needs to be a priority for all firms. It appears that Yahoo was slow to invest money in cyber defense and institute certain security protections. As well, this case demonstrates that it is important to be proactive and not reactive with your cybersecurity strategy and framework. Here, it appears Yahoo was slow to implement intrusion-detection tools that matched industry standards, and consequently was slow to detect the 2014 breach.
Given the heavy reputational damage, regulatory and legal risk, privacy concerns, and in Yahoo’s case a possible failed sale of core operations to Verizon, the importance of a thoughtful and proactive cybersecurity strategy and framework is clear.
In the meantime, the OSC has issued a Cybersecurity and Social Media Practices Questionnaire, due on November 5th, in order to assist with the development of future staff guidance.