Canadian securities regulators have published notices since 2013 highlighting the importance of timely disclosure and risk disclosure by reporting issuers of cyberincidents that are material to the issuer’s business. The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.
CSA Guidance on Cybersecurity Incident Disclosure
In January 2017, staff of three provincial regulators published CSA Staff Notice 51-347 (2017 Notice). The 2017 Notice stated that a reporting issuer must disclose a material cybersecurity incident in accordance with securities law and also generate risk disclosure that is tailored to the particular circumstances of the issuer. In particular, the following guidance was provided:
- The issuer must have a cybersecurity remediation plan.
- The remediation plan should address how the materiality of a cyberincident would be assessed to determine whether, what, when and how, to publicly disclose.
- Issuers are still hesitant to issue press releases about cyberincidents. As with other materiality judgments, there is no bright-line test to determine the materiality of the cybersecurity incident. The quantitative or qualitative threshold at which a cybersecurity breach becomes material may vary between issuers and industries, depending on the circumstances of the issuer and the incident’s consequences. An isolated cybersecurity incident may not be material but a series of or minor incidents may become material, depending on its consequences.
- The materiality of a cybersecurity incident should be evaluated dynamically through the detection, assessment and remediation phases because cybersecurity incidents and their impacts may not be fully understood upon detection.
- When an issuer has decided to disclose a cybersecurity incident, it should consider providing some visibility into the anticipated costs of the incident and its impact on the issuer’s operations, reputation, customers, employees and investors.
SEC Settlement with Altaba Inc. (formerly Yahoo! Inc.)
On April 24, 2018, the SEC announced that Altaba Inc. had agreed to pay a USD$35 million penalty to settle disclosure charges relating to a December 2014 cyberincident. Altaba settled without admitting or denying any wrongdoing. Among other things, the SEC settlement noted:
- Within days of the cyberattack, Altaba’s IT team learned that hackers had stolen the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
- Altaba failed to properly investigate the circumstances of the breach.
- Altaba did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.
- Altaba did not include information regarding the breach in its quarterly or annual public filings in 2015 or 2016 even though it learned that cyberattack attempts by the same hackers continued.
- Altaba failed to maintain disclosure controls and procedures designed to ensure that reports from its IT team concerning cyberattacks, or the risk of such attacks, were properly and timely assessed for potential disclosure.
Significantly, the investigation into Altaba is continuing and the SEC has yet to make a decision about the culpability of individuals.
Regulatory focus on cybersecurity: While the Altaba settlement is the first of its kind, cybersecurity is a priority area for the Canadian Securities Administrators (CSA), an umbrella group of Canada’s securities regulators. Both timely disclosure judgments and risk disclosure in continuous disclosure documents are on the regulatory radar. In the 2017 Notice, the CSA reported on its review of the disclosure provided by issuers on the S&P/TSX Composite Index regarding cybersecurity risk and cyberattacks, and noted that Staff in certain CSA jurisdictions had carried out cybersecurity disclosure reviews in the past.
Material assessments of cyberincidents: In discussing the Altaba settlement, the SEC’s Co-Director of its Enforcement Division observed “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” As noted in the 2017 Notice, there is no bright-line test to determine the materiality of the cybersecurity incident. However, in Altaba’s circumstances, the SEC found that the company’s response to its disclosure obligations fell substantially short of regulatory expectations.
Investigation should be coordinated with legal team: The investigation to assess the extent and consequences of a cyberincident should be closely coordinated with the issuer’s legal advisors to facilitate an ongoing assessment of disclosure obligations and to assess the merits of proactive disclosure to securities regulators in Canadian provinces with whistleblower-incentive programs.
Potential regulatory consequences for directors and officers: The SEC settlement with Altaba does not foreclose the possibility of enforcement action against individuals. Canadian securities regulators can bring a criminal or administrative enforcement proceeding against a director or officer who “authorizes, permits or acquiesces” in the issuer making a statement in public disclosure that is misleading, untrue or omits a fact that is required to be stated or that is necessary to make the statement not misleading. In addition, the regulator may use its “public interest power” to sanction conduct that does not technically breach a specific provision in the securities legislation -- even in the absence of “abusive or egregious conduct.”
Securities class actions following cyberincident disclosure: In the US, class action lawyers are increasingly targeting issuers and their directors and officers by alleging that they (a) failed to adequately disclose or misrepresented the issuer’s cybersecurity risks, and/or (b) failed to disclosure a material cyberincident in a timely manner and/or accurately. Altaba (Yahoo!) recently agreed to pay USD$80 million to settle a securities class action filed against the company relating to its delayed disclosures of the 2014 cyberincident. In Canada, directors and officers of reporting issuers may, in certain circumstances, be directly liable for misrepresentations contained in the issuer’s disclosure documents.