Earlier this year, the Canadian Securities Administrators (CSA) released the results of a review of the disclosure of 240 issuers in the S&P/TSX composite index on cyber security issues. The review found that only 61% of issuers addressed cyber security in their risk factor disclosure, 20% of these issuers had identified a person or group responsible for cyber security, and “few” issuers disclosed that they had been subject to cyber-attacks but none disclosed these as material.
The Securities and Exchange Commission’s (SEC)’s Office of Compliance Inspections and Examinations (OCIE) also conducted a survey on capital market cyber security issues and published a report finding that a majority of broker-dealers (88%) and advisers (74%) stated that they have experienced cyber attacks.
Not surprisingly, cyber security has been identified as a priority area by both the CSA and the SEC. As a result, there are a growing number of regulatory publications concerning cyber security, including the CSA’s September 2013 Staff Notice 11-326 and September 2016 Staff Notice 11-332 . The latter sets out that CSA members:
- expect issuers to: i) provide risk disclosure that is as detailed and entity specific as possible, ii) address in any cyber-attack remediation plan how the materiality of an attack would be assessed, and iii) consider the impact on the company’s operations and reputation, its customers, employees and investors;
- expect registrants to remain vigilant in developing, implementing and updating their approach to cyber security hygiene and management; and
- expect regulated entities to: i) examine and review their compliance with ongoing requirements outlined in securities legislation and terms and conditions of recognition, registration or exemption orders, which include the need to have internal controls over their systems and to report security breaches, and ii) adopt a cyber security framework provided by a regulatory authority or standard-setting body that is appropriate to their size and scale.
In January 2017, the CSA published Multilateral Staff Notice 51-347 which recommends that issuers disclose specific cyber security risks and disclose cyber security breaches where they amount to a material fact or a material change. However, the CSA cautioned that it does not expect issuers to disclose details that are sensitive in nature or that could compromise their cyber security. The CSA has also undertaken roundtable discussions modeled after similar discussions in the U.S. The first of these roundtables was held on February 28.
The Canadian regulators have largely followed their counterparts in the U.S. In October 2011, the SEC published a guidance on cyber security providing an overview of specific disclosure obligations that may require a discussion of cyber security risks and cyber incidents. The SEC has also begun to undertake enforcement actions in respect of cyber security disclosure. Yahoo! Inc., for example, recently disclosed that the SEC is investigating whether its disclosures about cyber attacks complied with securities law. It is only a matter of time before we see similar enforcement actions in Canada.
We expect that regulatory attention to cyber security risk and disclosure will only continue to grow. Capital market participants should not only protect themselves from cyber security risks, but also be aware that they may face regulatory exposure if they do not.
‘Stay connected with Securities litigation and enforcement and subscribe to the blog today.’