In the United States, the Securities Exchange Commission (SEC) has taken an active role in regulating cybersecurity issues. Canadian issuers should be aware that the risk of regulatory enforcement may be coming to Canada.
Recently, the Canadian Securities Administrators (CSA) stated that they "expect Market Participants to take steps to protect themselves against cyber threats." Specific expectations include the following:
- CSA members expect issuers to provide risk disclosure that is as detailed and entity specific as possible. Issuers should address in any cyberattack remediation plan how materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack.
- CSA members expect that registrants continue to remain vigilant in developing, implementing and updating their approach to cybersecurity hygiene and management.
- CSA members expect that regulated entities examine and review their compliance with ongoing requirements outlined in securities legislation, which include the need to have internal controls over their systems and to report security breaches.
The CSA is hosting a cybersecurity roundtable at the Ontario Securities Commission on February 27, 2017. This roundtable follows the publication of the CSA Staff Notice 11-332 Cyber Security. This event in itself highlights the increasing attention being paid to this issue by Canadian securities regulators.
A review of the recent SEC activity in the United States sheds some light on the extent of regulatory enforcement that may ultimately come to Canada.
The SEC is currently investigating Yahoo! Inc. (Yahoo) for failure to disclose data breaches to investors. The cyberattack occurred in 2014 and compromised at least 500 million Yahoo users’ data. Yahoo only disclosed the breach in September 2016, and the SEC opened a formal investigation in December 2016. As a result, Yahoo has been subpoenaed for documents to determine whether Yahoo complied with securities laws related to disclosure.
The Yahoo investigation highlights the active role the SEC has taken in regulating cybersecurity. There are other examples of cases where the SEC has commenced enforcement actions and settled for a paid fine based on alleged failure to properly implement controls to prevent cyberattacks.
The SEC published guidance for public compliance in October 2011, requiring material information about cybersecurity risks to be disclosed if it could affect investors. For the Management Discussion and Analysis and SEC filings, disclosure is critical if the costs or other consequences associated with the cybersecurity risk are likely to materially affect the operations, liquidity, or financial condition of the company. What is "material" under this guidance is not defined.
In Canada, material cybersecurity breaches must be disclosed, as well as material cybersecurity risks. Materiality depends on the context, frequency, scope and type of attack, as well as the timing of the attack, detection, assessment and remediation. The CSA's Staff Notice 11-332 and Multilateral Staff Notice 51-347 outline disclosure expectations. To the extent a cyber risk is a material risk, issuers are to provide a detailed risk disclosure and mitigation strategy. As a part of this, the issuer must consider the impact on the company’s operations and reputation, its customers, employees and investors.
As cyberattacks grow in frequency and severity, and the risks to consumers escalate, organizations must be fully aware of their obligations to develop adequate controls to prevent and respond to attacks, and their potential exposure on the regulatory front and otherwise should they fail to do so.