Recent developments, including a barrage of cyber-attacks and revelations related to state-sponsored monitoring of electronic systems, have resulted in heightened interest by businesses and regulators about cybersecurity. The threat is real. Business relies increasingly on information technology and that reliance extends to the Internet in numerous ways – through product offerings, maintenance of customer lists, processing of payment card information and the increasing transfer of data and intellectual property, formerly residing internally, to hosted or cloud-based locations.
In response to the perceived cybersecurity threats to public companies, the Canadian Securities Administrators (CSA) has recently published for comment CSA Staff Notice 11-326, “Cyber Security” (CSA Notice). This CSA Notice follows a recent report issued by the International Organization of Securities Commissions and the World Federation of Exchanges highlighting the risk of a major cyber-attack on key elements of the financial markets’ infrastructure.
The CSA Notice is not restricted to the cybersecurity concerns of public companies, but also addresses concerns for registrants and for regulated entities such as self-regulatory organizations, marketplaces and clearing agencies (together, Market Participants).
The CSA Notice states that strong and tailored cybersecurity measures are an important element of Market Participants’ controls to ensure both the reliability of their operations and the protection of confidential information. The CSA Notice states that to manage the risks of a cyber threat, Market Participants “should be aware of the challenges of cyber crime and should take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients or stakeholders.”
The regulators suggest that Market Participants consider taking specific measures, including the following:
educating staff on the importance of the security of the firm’s and clients’ information, and the staff’s role in ensuring such safety;
following guidance and best practices of industry associations and recognized information security organizations; and
conducting regular third-party vulnerability and security tests and assessments.
As a result, senior management and boards of directors should institute active and sustained programs to implement specific and tailored measures and plans to satisfy the CSA Notice. These measures include establishing reporting to ensure that recognized security standards are implemented, promoting transparency within the organization to ensure that management understands and can effectively monitor risk of cybersecurity events occurring, and defining a clear set of procedures to limit damage should such events occur.
Similarly on October 13, 2011, the U.S. Securities and Exchange Commission published the CF Disclosure Guidance: Topic No. 2 to provide guidance on disclosure obligations relating to such risks. While no disclosure requirement in securities legislation explicitly refers to cybersecurity risks, the U.S. federal securities law is premised on comprehensive, timely and accurate disclosure. Consequently, the guidance requires material cybersecurity risks to be disclosed if doing so would influence the decision of a reasonable investor or, if such risks are not disclosed, would make other required disclosures misleading.
As a result of the real threats to cybersecurity that public companies are facing, and in light of the initiatives by regulators in Canada, the United States and internationally, senior management and boards of directors must now carefully consider the company’s cybersecurity readiness, and can no longer afford to allow knowledge to reside only at the level of technical and operational staff.