Securities Regulators Provide Initial Guidance on Cybersecurity Risk, Control and Incident Disclosure

Authors: Paul Goldman, Nathan Schissel, Andrew Dilts

Cybersecurity was recently identified as an area of priority for issuers by the Canadian Securities Administrators (the “CSA”), the collective body for the securities regulators of all of Canada’s provinces and territories.

The CSA recently published CSA Multilateral Staff Notice 51-347 titled “Disclosure of cyber security risks and incidents,” which provides initial guidance to issuers regarding disclosure of cybersecurity risks as part of the company’s ongoing disclosure requirements (the “Staff Notice”).

In the Staff Notice, which was a collaborative effort among the securities regulators of British Columbia, Ontario, and Quebec, the CSA reviewed the most recent annual filings of the 240 members of the S&P / TSX Composite Index, and found that more than 60% of companies addressed cybersecurity issues in their risk factor disclosure. Perhaps unsurprisingly, these companies generally reported that their dependence on information technology systems left them at risk for cybersecurity breaches, with such risks often viewed as material in nature. However, few of these companies were found to have disclosure information tailored to the specific risks or to the nature of the company itself.

Consequently,  in the Staff Notice the CSA took the position that cybersecurity-related disclosure should focus on material, detailed, and entity-specific information, and should avoid the use of generic language. Additionally, the CSA advised that the disclosure should consider the reasons why the company may be exposed to a cybersecurity breach, the source and nature of the risks, the potential consequences of a breach, the adequacy of the preventative measures that have been taken by the company, and the prior cybersecurity incidents encountered by the company and their effect on the company’s risk profile.

The CSA also expected that issuers who established and maintained certain disclosure controls under securities regulation would apply such controls to detected cybersecurity incidents.  In that way,  incidents could be communicated to management in a timely manner so that a decision could be made on whether and what to disclose.

However, the CSA clarified that it did not expect companies to go so far as to disclose details of their cybersecurity strategies or vulnerabilities to the extent that the issuer would disclose information that could be exploited by potential hackers or competitors.

The regulators acknowledged that there is no “bright-line” test to determining the specific cybersecurity information that a company should or should not disclose, but rather that a balance of factors needed to be considered.

The materiality of the risk, the timing of reporting, and the details of the company’s cybersecurity attack remediation plan were all factors that the CSA included as important factors in their consideration.

The CSA has acknowledged that businesses face a range of cybersecurity threats, including unauthorized access to confidential customer or employee information, lost revenues from business disruptions, reputational damage, theft of proprietary or sensitive information, or legal penalties for failing to comply with privacy and information security laws. In some cases, insurance providers have required companies with greater unmanaged cybersecurity risks to pay higher insurance premiums. Shareholder review services have recommended that shareholders not support re-election of company directors, as was the case following the significant 2014 cybersecurity breach by retail chain Target.

The CSA will continue to review cybersecurity disclosure, risks and incidents, and may yet provide further guidance on such matters.

The recent guidance issued by the CSA underscores the importance of directors and management understanding the implications of cybersecurity risks in the context of their ongoing disclosure requirements and to treat cyber risks as material enterprise-wide risks facing the company. It also highlights the importance of ensuring that the company has an effective cybersecurity strategy and that policies and procedures are in place to help manage the risks and liabilities that can arise.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.