On September 22nd, 2016 Yahoo Inc. ("Yahoo") — in the midst of a US$4.8 billion deal to sell its core business to Verizon Communications Inc. — disclosed that certain user account information, such as names, email addresses, telephone numbers, dates of birth and passwords, were swiped from at least 500 million Yahoo accounts in 2014.1 While the sheer volume of the breach is stunning in its own right, the delayed disclosure of the breach has spawned pointed criticism over when exactly Yahoo had knowledge of what is being branded as the largest data compromise of an email provider.
U.S. Senator Mark Warner penned a public letter to the U.S. Securities and Exchange Commission ("SEC") urging regulators to investigate Yahoo over the "associated lack of disclosure" by the company.2 The SEC has provided guidance to public companies on cybersecurity disclosures for some time. In 2011, the Division of Corporation Finance of the SEC published a guidance which directs public companies to disclose risks to their cybersecurity, as well as incidents of cyber breaches, that may have a material impact on the company.3The Wall Street Journal, citing an analysis by Audit Analytics, recently reported that just 95 out of roughly 90,000 publically listed companies in the U.S. informed the SEC of a cyber breach since January 2010.4
The Yahoo breach has thrust cybersecurity disclosure to the forefront of securities regulation. On September 27th, 2016 the Canadian Securities Administrators (CSA) offered some timely guidance to financial market participants on cybersecurity disclosure when it published CSA Staff Notice 11-332 (the "2016 Notice").5 The 2016 Notice replaces CSA Staff Notice 11-326 published on September 26th, 2013 (the "2013 Notice").6
The earlier 2013 Notice asked public companies to consider the issue of whether a cyber risk or attack facing the issuer qualifies as a material fact or material change that would need to be disclosed in either a prospectus or continuous disclosure filing. Other than directing issuers to approach cybersecurity disclosure as a question of materiality, there was no direction provided to issuers on what materiality looked like in the cyber context; nor was there any guidance on what the content, nature and timing of cybersecurity disclosure should look like.
The more recent 2016 Notice seeks to provide clearer direction based on the CSA's review of various issuers' cybersecurity disclosure. The CSA review discovered that issuers "either did not have any disclosure or only had non-entity specific, boilerplate disclosure." The 2016 Notice reports that the CSA now plans to undertake a closer review of larger issuers to obtain a better understanding of how the materiality of cyber risks and attacks are assessed, with the results of that review to be released at a later date. In the interim, the 2016 Notice advises that, to the extent that a cyber risk or attack is deemed material, the CSA expects the disclosure to be "detailed and entity specific." Public companies should also have a cyber breach remediation plan in place which explains how the materiality of a cyber attack would be assessed, for the purposes of determining “whether and what, as well as when and how, to disclose in the event of an attack."
Cybersecurity has been identified as a priority in the CSA 2016-2019 Business Plan.7 Public companies should stay tuned for the results of the CSA review of larger issuers, which may provide clearer parameters around cyber risks and attacks that would qualify as material and, consequently, warrant disclosure in a prospectus or continuous disclosure filing. While public companies must be diligent in fending off cyber threats, they must be equally diligent in the assessment, timing and delivery of their cyber security disclosure.
For a more detailed discussion of the 2016 Notice, please refer to "Cyber Risk Management — Regulatory Guidance from the Canadian Securities Administrators."