In a recent blog post, we discussed how two American Senators introduced the Cybersecurity Disclosure Act of 2015 (the “Bill“) to promote transparency in the oversight of cybersecurity risks of publicly traded companies. Although the Bill is not yet law (it is currently under review by the Committee on Banking, Housing and Urban Affairs), it would require reporting companies to have a cybersecurity expert on their board, or explain why having such a board member is unnecessary.
While Canada does not have a similar regime in place, the Canadian Securities Administrators (“CSA“) Business Plan 2016-2019, which was published on July 7, 2016, identified the enhancement of cybersecurity as a priority for the CSA. Shortly thereafter, on September 27, 2016, CSA published CSA Staff Notice 11-332 (the “2016 Notice“) to promote cybersecurity awareness and resilience among market participants given that cybersecurity attacks and cyber adversaries are becoming more sophisticated.
In the 2016 Notice, the CSA states that it “expects” issuers, registrants and regulated entitles to comply with the CSA’s various recommendations on cybersecurity. This is in contrast to CSA Staff Notice 11-326 (the “2013 Notice“) which asked Issuers, Registrants and Regulated Entities to “consider” taking steps to address cybersecurity threats. This change in language from “consider” in 2013 to “expect” in 2016 underscores the increased importance the CSA is placing on cybersecurity.
The 2016 Notice sets out, among other things, CSA’s expectations of issuers, registrants and regulated entities with respect to their cybersecurity frameworks. CSA’s expectations include the following:
- Issuers: To the extent that an issuer has determined that cybercrime risk is a material risk, CSA expects issuers to disclose this and for such disclosure to be as entity specific and detailed as possible. If an issuer has a cyber attack remediation plan, CSA expects such plan to address how the issuer would assess the materiality of a cyber attack. The materiality of a cyber attack is relevant to determining whether, when and to what extent an issuer should disclose the cyber attack. Note that the 2013 Notice suggested, among other things, that issuers consider whether they should disclose their cybercrime risk, cybersecurity risk control measures and cyber attacks. Since the publication of the 2013 Notice, some CSA members have found that many issuers do not have any disclosure or have boilerplate disclosure (disclosure that is not entity specific). According to the 2016 Notice, because there has been an increase in the frequency and sophistication of cyber attacks, CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months and anticipate publishing their findings and recommendations.
- Registrants: CSA expects registrants to remain vigilant in developing, implementing and updating their approach to cybersecurity management. CSA recommends that registrants follow guidance issued by self-regulatory organizations such as the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association.
- Regulated Entities: CSA expects regulated entities to review their compliance with ongoing requirements outlined in securities legislation, and to adopt a cybersecurity framework provided by a regulatory authority or standard-setting body.
The 2016 Notice also states that CSA intends to hold roundtable sessions with issuers, registrants and regulated entities to, among other things:
- discuss developments related to cybercrime risks and how to address such risks; and
- develop opportunities for greater collaboration and communication on issues of common concern relating to cybersecurity.
Issuers, registrants and regulated entities should consider whether they are meeting CSA’s expectations and whether they have the necessary experience and expertise to manage cybercrime risks and to safeguard themselves and their clients or stakeholders.