The COVID-19 pandemic has changed how we interact and work. Many corporations in the world today have instituted remote work policies to help combat the spread of COVID-19. With an increased number of employees working through remote connections, and the fear and uncertainty prevalent in the world today, corporations and their employees are increasingly at risk of fraud or cyberattacks.
Also, given the widespread disruption caused by COVID-19 and people feeling unusual economic pressure, there is an increased risk of fraud as employees work from home unsupervised. History has shown that employees are susceptible to fraudulent conduct, such as financial statement manipulation, because of the pressure faced in tough economic times. On the other hand, there are reports of fraudsters already taking advantage of the vulnerabilities of individuals and corporations on account of COVID-19 through all kinds of scams. It is therefore important for corporations to understand their potential liability and prepare accordingly.
From a legal perspective, corporations and their boards of directors may be exposed to increased liability during the COVID-19 pandemic. Specifically, the board of directors has a fiduciary duty of loyalty towards the corporation and must act honestly, in good faith and in the best interests of the corporation. In addition, each member of a board must exercise the care, diligence and skill a reasonably prudent person would exercise in comparable circumstances.
In the face of increased fraudulent activity during the COVID-19 pandemic, this translates into a duty to prevent any fraud or cyberattacks or mitigate the impacts of such actions quickly. In particular, boards of directors should provide appropriate oversight with respect to cybersecurity measures and fraud protection programs and ensure adequate controls are put in place by management to manage any cybersecurity incidents and mitigate breaches when they happen.
Corporations and boards of directors at risk of fraud or cyberattacks due to the COVID-19 pandemic should consider implementing the following practices:
- Discussing matters relating to cybersecurity and fraud regularly at board meetings and keeping records of those meetings;
- Requesting that management create presentations and provide briefings on cybersecurity and fraud to educate the board;
- Keeping records of cybersecurity issues and fraud attacks targeting the corporation;
- Engaging third-party consultants to audit the corporation’s cybersecurity systems and provide recommendations for improvement;
- Overseeing management’s drafting of cybersecurity standards, programs and policies to ensure compliance with the law and industry best practices;
- Overseeing management’s creation of a business-wide crisis management team to manage fraud and cybersecurity issues;
- Engaging a chief information security officer with significant experience in information technology and cybersecurity;
- Overseeing management’s creation of a culture that views cybersecurity matters as everyone’s concerns;
- Reviewing employee training and awareness programs on the topic; and
- Ensuring the corporation is adequately insured against fraud and cybersecurity breaches.
Should you have questions on the implementation of any of the above or questions about responding to, or remediating, threats or incidents in the face of fraud and cyberattacks during the COVID-19 pandemic, do not hesitate to contact our team.
The authors would like to thank Alexandra David, articling student, for her contribution to this legal update.