Recent computer-security breaches have brought to the forefront the need for enhanced cybersecurity and disclosures surrounding cybersecurity risks.
In response to the growing risks associated with a digitally-linked world, the Canadian Securities Administrators (CSA) issued Staff Notice 11-332 Cybersecurity to review current issues in cybersecurity from a reporting issuer’s point of view. That Staff Notice was followed by Multilateral Staff Notice 51-347 Disclosure of cybersecurity risks and incidents (MSN 51-347) in January 2017 – recognizing implicitly that the effectiveness of an issuer’s cybersecurity infrastructure may be as important as an issuer’s internal control of its financial reporting processes.
While MSN 51-347 states that each issuer should not compromise its security by disclosing sensitive information, impetus is put on reporting issuers to disclose material risks relating to cybersecurity in such a manner as to provide detailed entity specific disclosure and avoid boiler- plate language – something which the CSA remind issuers in reviewing other types of disclosure. Thus, risks relating to financial institutions may not be the same as those relating to an industrial manufacturer and should not be treated as such by reporting issuers.
The CSA did issue guidelines in MSN 51-347 to consider factors identified by the International Organization of Securities Commissions and to review mitigation strategies (such as preventative measures) and apply disclosure controls and procedures to ensure incidents are reported to management and assessed for materiality and potential disclosure.
What is key is to review what is “material”. National Policy 51-201 Disclosure Standards (NP 51-201) provides guidance and issuers and their counsel should continue to look at NP 51-201 for a view as to what requires timely disclosure with respect to cybersecurity incidents. Clearly, whether the risk is a material fact or a material change does not change whether or not the risk is related to cybersecurity.
Potential breaches of an issuer’s confidential electronic files are a cause for concern and should be treated like any other business risk and disclosed as required under Canadian securities legislation and regulations. For example, the breach of confidential banking or personal information for a large number of customers of a financial institution or a retailer will, most likely, require timely disclosure of the incident.
Other jurisdictions, such as the United States, have not provided specific guidance relating to cyber risk disclosure but have rather encouraged issuers to disclose cyber risks. These risks are factors which may increase the risk of making an investment in a particular issuer so that investors may make informed decisions on the investment. The U.S. also enacted the Cybersecurity Information Sharing Act of 2015 which has developed procedures to share information about cybersecurity threats across different agencies and other levels of government which have appropriate security clearances and with businesses where such information is unclassified.
Clearly, cybersecurity is a key concern for all reporting issuers – some being impacted more than others. This is a dynamic and fluid landscape which requires much investment and attention by issuers.