In January 2017, the Canadian Securities Administrators (the “CSA”) published CSA Multilateral Staff Notice 51-347: Disclosure of Cyber Security Risks and Incidents (the “Staff Notice”), the findings of a review of the disclosure provided by the constituents of the S&P/TSX Composite Index regarding cyber security risk and cyber attacks.
The review found that 61% of the constituents of the S&P/TSX Composite Index acknowledged cyber security as a material risk to their business. Issuers in a wide variety of industries generally disclosed that their dependence on information technology systems renders them at risk for cyber security breaches and that disruptions due to cyber security incidents could adversely affect their business, results of operation, and financial condition. These risks included but were not limited to, compromising of confidential customer or employee information; unauthorized access to proprietary or sensitive information; destruction or corruption of data; lost revenues due to a disruption of activities, incurring of remediation costs; and, litigation, fines and liability for failure to comply with privacy and information security laws.
The staff notice also provides guidance on risk factor disclosure and incident reporting, confirming the expectations raised in Staff Notice 11-332: Cyber Security (“Staff Notice 11-332”), addressing how in any cyber attack remediation plan, the materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack. As issuers increasingly depend on information technology, and as cyber attacks become more frequent and sophisticated, the CSA expects that issuers will consider their exposure to cyber security risks when preparing their risk factor disclosure.
The CSA has long been concerned over the status of cyber security of issuers, registrants and regulated entities, and their ability to withstand cyber attacks, having identified cyber security as a priority area in its 2016-2019 Business Plan. The Staff Notice reports the findings of a review announced by the CSA in Staff Notice 11-332 and provides disclosure expectations for reporting issuers based on those findings.
Staff Notice 11-332, published in September 2016, highlighted the importance of cyber security risks for issuers, registrants and regulated entities, and informed stakeholders about recent and upcoming CSA initiatives. With respect to issuers, Staff Notice 11-332 indicated that CSA members would examine the disclosure of some of the larger issuers to analyze what is being disclosed with respect to cyber security risk and cyber attacks. Staff Notice 51-347 is the result of that examination.
CSA Multilateral Staff Notice 51-347: Disclosure of Cyber Security Risks and Incidents, is available for download from the websites of participating member jurisdictions.
For more information, please call Barbara Hendrickson at BAX Securities Law (416) 601 -1004.
This publication is not intended to constitute legal advice. No one should act on it or refrain from acting on it without consulting with a lawyer. BAX does not warrant or guarantee the accuracy or currency or completeness of the publication. No part of this publication may be reproduced without the prior written permission of BAX Securities Law.