Artificial Intelligence and Cybersecurity: Board Oversight Essentials

Introduction

Artificial intelligence (AI) and cybersecurity are two areas that share similarly steep growth trajectories, presenting both risks and opportunities to issuers. The rapid growth in both areas requires directors and officers to review and, in some cases, revise traditional approaches to oversight. Directors or officers who may not have similar levels of exposure to these topics may find the baseline technical expertise required to address such issues challenging.

Prudent governance practices remain as important as ever in the face of the new demands brought on by these rapidly developing areas. Existing board best practices, informed by technical expertise and awareness of critical developments in these areas, offer organizations a measured approach to navigating new risks and opportunities.

You will find below: (1) recent developments in the legal scaffolding of these areas, (2) existing best practices applicable to board oversight of these new areas, (3) sample frequently-asked-questions for realizing these best practices, and (4) key takeaways for your further consideration.

Evolution of Laws

In keeping with rapid developments in these areas, regulators both domestic and abroad are turning their attention to emerging cybersecurity and AI issues. The increasing governmental focus surrounding these areas reinforces the importance of board members becoming conversant in relevant areas that arise in any particular issuer’s specific use case.

Compliance with new legislative and regulatory regimes may require the implementation of long-lead-time items such as AI policies and cybersecurity programs. Boards and committees responsible for overseeing public disclosure and legislative compliance should ensure that management is devoting an appropriate amount of diligence towards consideration of new and upcoming requirements and guidance.

Earlier this year, the Canadian Securities Administrators (CSA) released CSA Staff Notice and Consultation 11-348 – Applicability of Canadian Securities Laws and the Use of Artificial Intelligence Systems in Capital Markets, which presented the CSA’s view on how issuers should interpret and apply existing regulatory rules to AI use. The CSA also laid out their expectations for issuers to provide greater transparency in their periodic and continuous disclosure about AI, calling for disclosure that is better tailored to each specific issuer and cautioning against misleading or over-embellished disclosure, which may constitute “AI-washing.” For more information on the CSA’s past guidance on AI disclosure and use, please see our previous bulletin titled CSA Provides Guidance on AI Disclosures by Public Companies.

In June of this year, Canadian legislators introduced Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-8), which, if passed, would enact the Critical Cyber Systems Protection Act (CCSPA). CCSPA will introduce new cybersecurity compliance requirements for certain vital industries, mandating, among other things, the implementation and regular review of a cybersecurity program, certain regulatory notification requirements in the event of a change of ownership or control, and record-keeping and data residency obligations. For more information on Bill C-8 and CCSPA, please see our previous bulletin titled House of Commons Re-Introduces Federal Cybersecurity Legislation.

Issuers must stay apprised of new compliance requirements governing cybersecurity and AI. Establishing a clear direction for AI use assists in developing the cybersecurity framework needed to navigate newly arising compliance obligations. Organizations may face significant enforcement consequences for improper disclosure and/or “AI washing.”

Primer on Best Practices With a New Lens

You will find below several best governance practices that, when viewed from a lens enriched by relevant expertise and awareness of ongoing developments, may assist your organization’s approach to these new topics.

• Directors should actively engage with and stay apprised of matters that may significantly affect their organization. To that end, directors should endeavour to ask clarifying questions to ensure they are adequately apprised of these matters and come to board meetings prepared with the background knowledge needed for active participation.
• Boards may benefit from being composed of directors with a wide range of backgrounds and areas of expertise. Diversity of thought lends to more holistic approaches to issues. Breadth of expertise helps boards identify when an issue requires deeper consideration or engagement of outside experts.
• Establishing a direction for an organization assists management with the execution of more granular goals. With a clear mandate from the board, individuals at all levels of the organization are better able to secure the necessary buy-in to advance projects in service of the broader strategic direction.
• Periodic board evaluation processes, including self-assessments, help identify skill gaps and opportunities for further development. Documenting sought-after strengths may assist issuers with justifying the compensation packages offered to certain board members, further incentivizing the attraction and retention of top talent.

Sample Board FAQs

Committees with members who have relevant experience in these areas can assist as an additional liaison between management with specialized education or experience. Nevertheless, regular and active participation by the full board remains integral to ensuring the requisite amount of rigour is put into developing a strategic direction and complying with new or developing legal regimes.

While understanding which issues to prioritize may require a certain level of expertise, preliminary questions for reflection or discussion are provided below.

Strategic considerations aim to elicit answers that assist with defining an organization’s direction for these key areas. Implementation considerations aim to elicit answers that identify specific action items to realize your organization’s intended strategic direction.

These questions are designed to allow directors and officers to consider how these issues relating to AI and cybersecurity may intersect with their fiduciary duties. The questions are also meant to assist organizations with aligning their overall risk tolerance and willingness to pursue new opportunities. Of course, specific issuers will also have additional questions that should be considered based on requirements in their industry.

Strategic Considerations

• Is fostering a competitive edge with the use of AI an important goal for your organization, or is the goal to keep pace with AI use in your industry? How enduring would such a competitive edge be for you or your competitors?
• How might your suppliers and key partners’ use of AI expose your organization to additional opportunities and risks?
• Are valuable skills being lost as certain tasks are made obsolete by AI? Is your organization or industry working to ensure the right skillsets are fostered as part of succession planning?
• How might your organization’s current and planned use of AI shape your cybersecurity strategy?
• Is your organization’s cybersecurity strategy aligned with its overall risk tolerance? What is the likelihood and severity of your organization’s cybersecurity risks? The analysis and insights found in our annual Canadian Cybersecurity Trends Study may assist with your and your organization’s cybersecurity risk assessment and decision-making.

Implementation Considerations

• What efforts are being allocated towards assessing key areas and then seeking and retaining individuals with suitable levels of digital literacy to oversee those areas?
• Does your business continuity plan contemplate the event of a serious, prolonged cybersecurity incident?
• Are employees trained on preventive measures against social engineering? Does such training account for the employee’s role and level of access privileges?
• Are there periodic audits and penetration tests of cybersecurity systems by external experts?
• Are other members of your board and executive team adequately apprised of cyber-related risks? Is there sufficient buy-in from your board and executive team to implement certain cybersecurity or AI strategies?
• Is there adequate insurance in place in the event of a cybersecurity incident?
• How might AI’s inputs lead to unintended ESG-related (environmental, social and governance) consequences in its outputs? Is there adequate human oversight of AI’s inputs and outputs?
• Is your organization fulfilling its continuous and periodic disclosure obligations by providing sufficient disclosure on these topics? Has the right expertise been engaged to assist with preparation of these materials?

Key Takeaways

Acquiring and maintaining the requisite level of expertise to oversee burgeoning areas such as AI and cybersecurity requires considerable agility, given their rapid evolutions and the associated legal compliance developments.

Management will also be better served by the availability of director-level guidance on best practices in the AI and cybersecurity spaces. Nevertheless, technical expertise is no replacement for the foundations of good governance. Sound business judgment remains invaluable in providing the necessary guardrails for directors and officers to tackle these key areas.

For more information, please contact the authors or any other member of our Artificial Intelligence, Cybersecurity or Capital Markets groups.