Hackers hit TSX-listed book retailer Indigo in February 2023, halting the processing of debit and credit transactions for several days and preventing online sales for nearly a month. The company had no choice but to go public about the attack, noting that criminal activity had a material impact on fourth-quarter sales.
Ditto for Sobeys, which suffered a cyberattack in November 2022 that cost its parent company, Empire, about $25 million, after what was recovered through insurance.
Even for less high-profile data breaches, the costs can be staggering.
Canadian companies are paying nearly $7 million when a data breach happens, the third highest level worldwide, according to IBM’s 2023 Cost of a Data Breach Report. Canadian financial services and energy companies are paying even more than these averages. On average, finds IBM, Canada’s financial sector is paying nearly $12 million per breach, while the energy sector is paying $9.37 million.
The rise of malware and other devastating cyber threats is attracting the attention of IROs. Emily Lau, Manager, Investor Relations for Enthusiast Gaming, has observed that in the past few years, the world has changed dramatically, with cybercriminals becoming more active and aggressive as large numbers of employees still work from home. As a result, she says, “the risk of exposure to cybersecurity threats has increased – and this is an important issue for IROs to think about.”
Carol Hansell, Senior Partner at Hansell McLaughlin Advisory Group in Toronto, agrees. “The fear of a cyber breach is a nightmare everybody [inside a public company] lives with every day,” she says. She stresses that no company is immune anymore: “People say that the world is divided into two kinds of organizations: those that have been hacked and those that are going to be hacked.”
If all companies are facing a threat from cybercrime, the question becomes: What role should an IRO play?
Hansell explains that some breaches are small and can be handled by a Chief Technology Officer or the IT department, while others need to involve management and the Board. “If a cyber breach rises to the level of a press release going out, the IR professional will be involved,” she says.
Communicating with the Board
The U.S. Securities and Exchange Commission (SEC) recently enacted a new cyber disclosure rule, placing the onus squarely on companies to provide investors with current and consistent information about how cyber risks are being managed.
The new rule is forcing American companies to add details about their cyber programs to their annual 10-K filings. In addition, should a cyber-incident occur, a listed U.S. company is required to determine materiality. Once an incident has been deemed material, companies have a mere four days to provide details by filing a Form 8-K.
Canadian issuers, even those dual listed in the States, are not subject to the SEC’s cybersecurity rule if they report on Form 40-F under the U.S.-Canada Multijurisdictional Disclosure System (MJDS), according to Osler.
Even though the SEC’s disclosure rule doesn’t apply to Canadian companies, its influence is felt. “We look at what companies are doing south of the border and at best practices,” says Isabelle Adjahi, Vice President, Investor Relations and Sustainable Development, for Lion Electric, based in Saint-Jerome, Quebec.
Adjahi spoke to IR leader in February, as she was preparing a presentation for the Board on cybersecurity. She is convinced that an important responsibility of IR and communications teams is educating directors on cybersecurity risks by discussing best practices and keeping them apprised of emerging threats.
Adjahi’s actions are not unique. Sylvia Groves, President of Calgary-based Governance Studio, says IROs are taking note because cybercrime is “increasingly within the top-10 risks within a Board’s risk register.”
Starting the Right Conversations
Nearly two years ago, Carolyn Muir, VP Corporate Development & Investor Relations at Toronto-based Aurania Resources, recalls that her audit committee insisted a third-party, independent IT firm be hired in case a cybersecurity attack occurred. Having found and hired XBASE, she says, means that her company is positioned to respond quickly in the event of a cyber-related crisis.
Muir is convinced that Aurania’s size (“a junior exploration company” in her description) is an advantage. “There are probably some smaller companies out there – like ours – that haven’t yet put processes in place to know how you deal with a cyber crisis,” she says. For those like Muir taking the issue to heart, she is pleased she’s “one quick call” away from reaching legal and the IT response team.
The ability to identify and connect to the right individuals inside and outside your company is critical, according to David Shipley, CEO of Beauceron Security, a cybercrime consultant based in New Brunswick.
He urges IROs to “begin making connections with your hard-working security folks – yesterday.” At a time when cybercrime is rising dramatically and budgets for IT are being cut, he emphasizes that a company’s internal security experts are “desperate” to talk. He continues: “They want someone to understand the context they’re operating in, and they want allies to help convince executives if there are material risks due to underinvestment.”
All that said, IROs can only provide useful input if they are educated about looming threats and can discern which threats are of greatest concern for a particular organization.
“Part of the challenge for any IRO is getting up to speed with the vocabulary,” says Hansell. “We’re not all cyber experts. One thing IR professionals can do is to be as conversant as they can with the cybersecurity language that is relevant to their organization.”
Take, for example, ransomware, or an attack by bad actors who seize control of a company’s software systems or proprietary information and demand payment for returning control to the rightful owners. Ransomware tactics have evolved so quickly that the latest jargon includes ‘double extortion’ and ‘triple extortion’, among other terms.
With double extortion, criminals first demand a specific sum to decrypt a company’s data, and they then extort a company’s customers, threatening to release private data on the black market. With triple extortion, criminals accept a ransom while readying for a future backdoor attack – and then demanding a second ransom for not reinfecting the system.
Once IROs get up to speed on the threats du jour, they have a tremendous opportunity to “improve communication to the Board,” says Groves. She notes that directors grow frustrated when technology officers or IT experts toss off too much technical jargon. “’You should speak to us in English’ is something I hear directors say all the time.”
“IROs have the right skill set around messaging and presenting clearly,” says Groves. “I believe they could provide strong, internal support for making [cybersecurity] information accessible to Board members.”
Walking a Fine Line
Enthusiast Gaming has an IT security and incident response procedure mapped out, but – like many companies – has not yet put in place a detailed IR strategy for cybercrimes, says Lau, who joined the Toronto-based, gaming-platform company in 2022.
Working in IR at a former employer, Pacific Basin Shipping, was altogether different. She recalls that the Hong Kong-based company viewed the well-publicized, 2017 cyberattack against shipping giant Maersk, one of its peers, as a wake-up call. Pacific Basin’s IR team responded by preparing a generic press release should a cyber event occur.
“You never know when a cyberattack will happen,” says Lau. “It could be in the middle of the night, but we wanted to be able to respond as quickly as we could.”
Many Canadian IROs are only now grappling with what a cyber incident might mean from a disclosure perspective, and yet it seems clear that savvy IROs would want to begin thinking through disclosure implications well before a crisis hits.
At Lion, cybersecurity is considered a governance issue and is given space in the ESG report. “We want to discuss what we are doing to mitigate risks, but we don’t want to open the kimono and go into too many details,” Adjahi says. She notes that like many other companies, hers is unwilling to discuss cybersecurity insurance (a topic she declined to address in this article) because she fears that disclosing information about financial protection may influence how hackers behave.
Shipley acknowledges the impulse to be reticent. In the end, though, he is convinced that companies should err on the side of disclosing more rather than less.
“Companies worry too much about tipping off hackers, but talking about having a mature, in-depth program and controls isn’t a negative. It’s a positive,” says Shipley. He continues: “Hackers think, ‘Geez, look how well these guys are thinking this through. Do I want to invest the time picking their locks and getting mauled by the guard dog as soon as I enter the door? No, I’ll move on to one of the companies with weak disclosure.’”