On January 19, 2017, the Canadian Securities Administrators (“CSA”) issued CSA Multilateral Staff Notice 51-347, Disclosure of cyber security risks and incidents (the “Notice”). The Notice was published after CSA Staff reviewed the disclosure provided by the constituents of the S&P/TSX Composite Index regarding cyber security risk and cyber attacks. The review focused on whether and how issuers had addressed cyber security issues in their risk factor disclosure, including whether the disclosure described potential impacts of a cyber attack on the issuer’s business, what kind of material information could be exposed as a result, and who was responsible for the issuer’s cyber security strategy.
Following their review, the CSA provided guidance as to cyber security risk disclosure, and referenced the International Organization of Securities Commissions (IOSCO) report on cyber security in securities markets (the IOSCO Report).
The CSA guidance on risk disclosure includes that:
- Issuers should consider the factors identified by IOSCO when preparing their disclosure.
- Issuers should consider the reasons they may be exposed to a cyber security breach, the source and nature of the risks, the potential consequences of a cyber security breach, the adequacy of preventative measures, as well as a consideration of prior material cyber security incidents and their effects on the issuer’s cyber security risk.
- Issuers should address how they mitigate the risk, including whether and to what extent the issuer maintains insurance covering cyber attacks, or reliance on third party experts for their cyber security strategy or to remediate prior or future cyber attacks.
- It is also relevant to disclose governance issues, including identifying a committee or person responsible for the issuer’s cyber security and risk mitigation strategy. The CSA referred issuers to Chapter 2 of the IOSCO Report.
The CSA also provided guidance on incident disclosure, when a cyber security breach has occurred:
- In considering whether and when to disclose a cyber security incident, the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation. The issuer should refer to the guidance in National Policy 51-201 Disclosure Standards and may in addition refer to the provisions of Part 1(f) of Form 51-102F1 Management’s Discussion & Analysis and Part 1(e) of Form 51-102F2 Annual Information Form of National Instrument 51-102 Continuous Disclosure Obligations.
- Materiality depends on the contextual analysis of the cyber security incident. While an isolated cyber attack may not be material, a series of or frequent minor incidents may become material in light of the level and type of disruption caused. The impact of a distributed denial-of-service attack or ransomware would differ from that of a cyber security breach aimed at obtaining client information. The types of disclosure required, whether in the issuer’s risk factor disclosure, financial reporting or incident reporting, depends on the circumstances of the incident.
If you have questions about cyber risk or cyber security breach incident disclosure, contact any member of Clark Wilson LLP’s Capital Markets, Securities, Mergers & Acquisitions Group.