On January 19, 2017, Canadian Securities Administrators ("CSA") published Multilateral Staff Notice 51-347 - Disclosure of cyber security risks and incidents (the "Notice"). The Notice provides an overview of issuers' current practices regarding disclosure of cyber security issues, and guidance on proper disclosure of cyber security risks and actual cyber attacks going forward. The Notice is part of a broader trend, as a number of other regulators have turned their attention to cyber security issues in recent years, including the Investment Industry Regulatory Organization of Canada, the Mutual Fund Dealers Association, and the Office of the Superintendent of Financial Institutions.
The Notice was informed by CSA Staff's recent review of the public disclosure provided by 240 constituents of the S&P/TSX Composite Index. During that review, CSA Staff sought to identify whether and how issuers addressed cyber security in their risk factor disclosure, and whether actual cyber attacks against issuers had been disclosed. The disclosure from 61% of the issuers surveyed recognized cyber security issues to some degree. However, few issuers addressed vulnerabilities that were particular to their organizations, as opposed to risks that are faced by businesses generally due to their dependence upon information technology.
As discussed in further detail in the Notice, CSA Staff expects disclosure regarding cyber security to focus on "material and entity specific information". The inclusion of "boilerplate language" describing general risks that issuers face is not sufficient to comply with disclosure obligations. For example, some of the disclosure that CSA Staff reviewed identified the industry in which an issuer operates, its ownership of certain assets, and the nature of its operations as factors that may create issuer-specific material risks to cyber security. Readers should be able to use public disclosure to distinguish among issuers in terms of their respective exposure to and ability to respond to cyber attacks, therefore disclosure should be "as detailed and entity specific as possible". The determination of whether a cyber security risk is material requires a contextual analysis that accounts for the probability that an attack will occur and the anticipated magnitude of its effect. In preparing disclosure, issuers should consider reasons that they may be exposed, the source and nature of any risks, the potential consequences of a cyber attack, the adequacy of their preventative measures, and the occurrence and impacts of any previous cyber attacks. Issuers should also identify the persons or committee responsible for cyber security issues.
The Notice also contains guidance regarding issuers' legal obligations to disclose material facts or changes following an actual cyber attack. CSA Staff acknowledged that there is no "bright-line test" for determining materiality, and that materiality will depend on the circumstances of the issuer as well as the type of attack and the extent of its consequences. Even relatively minor cyber attacks may be viewed as being material if they are frequent or numerous. Determining whether an attack is material is a "dynamic process" that continues through detection, assessment, and remediation of the attack.
Exposure to cyber security incidents has become an operational reality for issuers and non-issuers alike, as businesses become increasingly dependent upon information technology. The potential impacts of cyber attacks, as highlighted in the Notice, may include confidential or proprietary information being lost or compromised, lost revenues due to business disruptions and remediation costs, elevated insurance premiums, litigation, and increased scrutiny by regulators. Businesses should implement cyber security policies and procedures - in compliance with privacy and information security laws - in order to mitigate exposure to and impacts of cyber attacks, which may be sophisticated and difficult to detect.