On January 19, 2017, the Canadian Securities Administrators (CSA) published Staff Notice 51-347 Disclosure of cyber security risks and incidents (Staff Notice), which reports on their broad-ranging review of the filings of the 240 constituent issuers in the S&P/TSX Composite Index concerning their disclosure of cybersecurity issues. The review focused on how cybersecurity issues have been addressed in risk factor disclosure, as well as disclosure about any previous cybersecurity incidents.
In September 2016, the CSA published Staff Notice 11-332 Cyber Security, which highlighted the importance of cybersecurity risks, for issuers as well as for registrants and other regulated entities. In that 2016 notice, the CSA had said they would examine disclosure with respect to cybersecurity risk and cyber-attacks. The Staff Notice represents the outcome of that review, which covered both periodic disclosure, such as annual information forms and management discussion and analysis, and timely disclosure, such as material change reports and news releases.
The review found that 61 per cent of the issuers had addressed cybersecurity issues in their risk factor disclosure. The general disclosure was that dependence on information technology systems renders issuers at risk for cybersecurity breaches. Few issuers, however, provided disclosure regarding their particular vulnerability to cybersecurity incidents. Some identified their industry, specified assets, or status as government contractors as factors increasing the likelihood that they could be targets of cyber surveillance or a cyber-attack. Some issuers also referred to the risk that reliance upon third parties could expose them to cybersecurity issues.
The Staff Notice gave several examples of frequently identified potential impacts of a cybersecurity incident, ranging from reputational harm, compromising confidential customer information, destruction of data, or liability for failure to comply with privacy and information security laws, among others.
The review found that 20 per cent of issuers who had addressed cybersecurity in their disclosure had identified a person, group or committee as being responsible for their cybersecurity strategy. Audit committees were most frequently identified as being responsible for overseeing cybersecurity risks, followed by a risk committee, the board of directors as a whole, the CFO or head of IT.
"Some" issuers disclosed that a disaster recovery plan had been put in place. Few issuers disclosed holding insurance against cybersecurity incidents.
The review found that "a few" issuers disclosed that they had been subject to cyber-attacks in the past, but no issuers disclosed such incidents as being material. Only one issuer had issued a press release following a data breach resulting in disclosure of confidential information, however that issuer did not file a material change report in connection with that incident.
The Staff Notice reminded issuers that disclosure should avoid boilerplate language. "While we acknowledge that exposure to cyber security risks may be common to all issuers in every industry, issuers should bear in mind that one of the purposes of risk factor disclosure is to allow the reader to distinguish one issuer from another, within the same industry or across industries, in terms of level of exposure, the level of preparedness and how the risk impacts the issuer." If issuers have determined that cybersecurity risk is a material risk, they should provide risk disclosure that is as detailed and entity specific as possible. This includes an analysis of both the probability that a breach will occur and the anticipated magnitude of its effect.
The Staff Notice did balance this by saying, "we do not expect issuers to disclose details regarding their cyber security strategy or their vulnerability to cyber attacks that is of a sensitive nature or that could compromise their cyber security."
For further guidance, the Staff Notice cross-referred to the factors for reporting issuer disclosure identified in chapter 2 of the International Organization of Securities Commissions' April 2016 report on cybersecurity in securities markets.
The Staff Notice stated that issuers who are required to establish and maintain disclosure controls and procedures under National Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings should apply such disclosure controls and procedures to detected cybersecurity incidents, to ensure they are communicated to management and a decision regarding whether and what to report is made in a timely manner.
For disclosure of cybersecurity incidents, the Staff Notice pointed out that obligations to report or notify persons of cybersecurity breaches under privacy or other legislation are different than those provided by securities legislation, which are based upon whether a breach is a material fact or material change. The nature of the breach, for example distributed denial-of-service attacks, ransomware, obtaining client information, or a frequent series of minor incidents, may have different materiality impacts.
The Staff Notice stated, "we expect issuers to address in any cyber attack remediation plan how materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack."