Canada’s securities regulators have conducted a wide-ranging review of the largest Canadian publicly listed companies’ practices regarding the disclosure of cybersecurity risks and incidents (Review). The Review, and accompanying report (Report), were recently published in a staff notice of the Canadian Securities Administrators (CSA), the informal coalition of Canada’s provincial and territorial securities regulators.
The CSA has been pressing to raise awareness on cybersecurity issues since 2013, when it published its first Staff Notice on the topic, 11-326 Cyber Security. That notice was a “shot across the bow” for registrants, such as dealers and advisers, other regulated entities, such as marketplaces and clearing agencies, and reporting issuers.
In September 2016, the CSA announced that it planned to conduct a review specifically on the disclosures of reporting issuers with respect to cybersecurity risks and cyber incidents (Staff Notice, 11-332 Cyber Security).
The Review was based on the filings of 240 constituent issuers in the S&P/TSX Composite Index and covered two types of disclosures made by reporting issuers:
- Periodic disclosure in prescribed disclosure documents, such as annual information forms (AIF, the Canadian equivalent of a U.S. Form 10-K) and periodic Management’s Discussion & Analysis (MD&A); and
- Timely disclosure at the time of a cyber incident, such as news releases and material change reports (the Canadian equivalent of a U.S. Form 8-K). The results of the Review were published in January 2017 in the Report.
DISCLOSURE OBLIGATIONS AND CSA GUIDANCE
The Report emphasized that obligations to report cybersecurity incidents under privacy or other legislation, are different to those provided by securities legislation.
Under securities legislation, the trigger for disclosure is materiality; reporting issuers in Canada must make timely disclosure of any material change – a change in the issuer’s business or operations that would reasonably be expected to have a significant effect on the market price of its securities.
Reporting issuers also have an obligation to avoid misrepresentations in their periodic disclosure, which includes an omission to state a material fact necessary to making a statement not misleading in light of the circumstances in which it was made.
Whether a cybersecurity incident is material will depend on its nature and scope, which involves considering whether, if a hacker was able to access a corporate network, the hacker was able to compromise or exfiltrate any data, or whether the incident was contained and remediated before any data was compromised. Where data was compromised, this also necessitates considering whether the data was material, as such, whether it constituted personal information, health information, client information or financial data. Additionally, other relevant factors include how the data was compromised, whether this resulted from distributed denial-of-service attacks, ransomware, or through a company insider, whether the incident was an isolated event or an ongoing series of minor or major incidents, and, if the event was ongoing, whether there is sufficiently accurate information about the incident to provide an accurate disclosure. Indeed, the Report states, “[M]ateriality depends on the contextual analysis of the security incident [and] it is a dynamic process throughout the detection, assessment and remediation phases of a cyber security incident.” Moreover, it notes that it expects “issuers to address in any cyber attack remediation plan how [the] materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose.”
Certain document forms require the disclosure of risk factors. For example, a prospectus, AIF or MD&A contain express requirements to disclose risk factors relating to the issuer and the business it performs. Accordingly, reporting issuers must consider whether cybersecurity is a risk factor in their business operations.
In addition, in their annual and interim MD&A, reporting issuers must disclose their conclusions on the effectiveness of disclosure controls and procedures. To the extent that cyber incidents pose a risk to an issuer’s ability to record, process, summarizee, and report information that is required to be disclosed in financial statements and other securities filings, management would need to consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.
The Report reminded issuers that, if they have determined that cybersecurity is a material risk, they should provide risk disclosure that is as detailed and entity-specific as possible, avoiding boilerplate language and including an analysis of both the probability that a breach will occur and the anticipated magnitude of its effect. However, the CSA does not expect issuers to disclose details regarding cybersecurity strategies or sensitive information that could compromise cybersecurity.
Given these disclosure obligations, the Review examined what reporting issuers were actually disclosing with respect to cybersecurity issues. Below are a few specific key findings of the Review:
Cybersecurity is a Risk Factor
The Review found that 61 per cent of issuers had addressed cybersecurity issues in their risk factor disclosure. The disclosures outlined that dependence on IT systems renders issuers at risk of cybersecurity breaches. Few issuers, however, provided disclosure regarding their particular vulnerability to cybersecurity incidents.
Impacts of a Cybersecurity Incident
The Report gave examples of frequently identified potential impacts of a cybersecurity incident, ranging from obvious impacts, including the destruction of data, production downtimes or outages, supply chain and inventory management issues, compromising confidential customer information, lost revenues, or remedial costs, to more long-term issues such as reputational harm and negative impacts on future opportunities. Common risk factors also included risks of litigation, fines, and heightened regulatory scrutiny and investigations.
Cybersecurity Risk Mitigation
The Review found that 20 per cent of issuers who had addressed cybersecurity in their disclosure had identified a person, group or committee as responsible for their strategy. Audit committees were most frequently identified as responsible for overseeing cybersecurity risks, followed by a risk committee, the board of directors as a whole, the CFO or head of IT. Some issuers disclosed that a disaster recovery plan had been put in place, but few issuers disclosed holding insurance against cybersecurity incidents.
The Review found that “a few” issuers disclosed that they had been subject to cyber-attacks in the past, but no issuers disclosed such incidents as being material. Only one issuer had issued a press release following a data breach that resulted in disclosure of confidential information.
The Report makes it clear that cybersecurity is a priority area for public companies and expects reporting issuers to disclose cybersecurity risks and incidents when they have a material impact on business operations. Given the growing regulatory scrutiny of cybersecurity practices, issuers must evaluate their cybersecurity risks and make appropriate disclosures. Below are a few specific strategies to facilitate effective cybersecurity risk assessment:
Provide the Board of Directors with regular reporting of cybersecurity issues, which has been an important factor in assessing director liability in U.S. shareholder litigation arising from a data breach.
Work with a Cybersecurity Team
While materiality is a legal question, in the cybersecurity context, it is a multidisciplinary exercise, requiring business, technical, security, privacy, and legal considerations. Therefore, the committee responsible for overseeing cybersecurity risk must have a system in place for soliciting these diverse perspectives and should consider working with a cross-organizational cybersecurity team, consisting of legal, privacy, IT, and senior executives and external advisers to assist the company and Board of Directors with cyber risk and incident disclosure.
Review the Incident Response Plan
This entails preparing and testing an appropriate incident response plan, which sets out who in the organization is responsible for incident response and how the company will respond to a data incident. This would include assessing the materiality of a cyber incident to determine if and when a disclosure is required. This plan should be reviewed by the Board, the risk committee overseeing cybersecurity and an internal cybersecurity team or external advisers.
This article originally appeared in the April 2017 issue of Data Protection Leader.