Blair Wiley, Daniel Kolibar, Robert Anton
Feb 9, 2017
As part of ongoing efforts by the Canadian Securities Administrators (CSA) to highlight cyber security risks for issuers, registrants and other regulated entities, staff from the British Columbia Securities Commission, the Ontario Securities Commission, and the Autorité des marchés financiers (Staff) recently published CSA Multilateral Staff Notice 51-347: Disclosure of cyber security risks and incidents [PDF] (the Staff Notice).
The Staff Notice, which is directed at Canadian issuers, is a result of a recent cyber security disclosure review. Staff reviewed the most recent filings of the 240 constituents of the S&P/TSX Composite Index to assess both cyber security risk factor disclosure and cyber security incident disclosure. This review was larger in scope than past reviews and reflects Staff’s opinion that issuers in all industries may be exposed to cyber security risk.
Risk factor disclosure
Staff’s review of risk factor disclosure found that 61% of reviewed issuers addressed cyber security issues in their risk factor disclosure, and 20% of reviewed issuers identified a person, group or committee as being responsible for their cyber security strategy, most commonly the audit committee. The Staff review found that disclosure generally focused on dependence on information technology, although some issuers noted specific factors such as the issuer’s industry, ownership of specified assets, the nature of operations or status as government contractors as factors increasing cyber security risk.
Cyber security risk disclosure should be included in an issuer’s filings if the risk is material to the issuer. Staff recommend that materiality of cyber security risk be determined by an assessment of the probability that a breach will occur and the anticipated magnitude of the effect of a breach. Staff also acknowledge that all issuers are increasingly dependent on information technology and all issuers may be exposed to a cyber-attack. This suggests that the CSA expects increasing numbers of issuers to provide cyber security risk disclosure.
Staff expect risk factor disclosure to focus on material, issuer-specific risks tailored to the issuer’s particular circumstances and to avoid generic or boilerplate language. Accordingly, the onus is on issuers to prepare risk factor disclosure that takes into account: (i) the types and sources of cyber security exposure, (ii) the level of exposure and the reasons for the level of exposure, (iii) the issuer’s preparedness for addressing the risk, (iv) the potential consequences of a cyber-attack and (v) prior material cyber security incidents, or series of incidents, and the prior incident’s effects on the issuer’s cyber security risk – all of which is consistent with the guidance on cybersecurity disclosure published by the United States Securities and Exchange Commission (SEC) and guidance prepared by the International Organization of Securities Commissions (IOSCO) in its report on cyber security in securities markets [PDF].
The Staff Notice also expects issuers to address how they mitigate cyber security risk and their reliance on third-party experts for cyber security strategy or remediation. SEC and IOSCO guidance contain similar suggestions. However, issuers should be reminded that form requirements for risk factor disclosure direct issuers to not de-emphasize a risk factor by including excessive caveats or conditions. Therefore, any description of an issuer’s cyber-attack mitigation efforts should be prepared in a manner that does not diminish or otherwise caveat cyber security risk factor disclosure.
Another focus of the Staff Notice is cyber security incident disclosure. Unlike the relatively common inclusion of cyber security risk factor disclosure in securities filings, Staff found that issuers rarely disclose cyber security incidents, and in the material recently reviewed by Staff no issuer identified a cyber security incident as material.
The Staff Notice reminds issuers that a cyber security incident (or incidents) must be disclosed in accordance with securities legislation if it is a material fact or material change to the issuer’s business. When determining the materiality of a cyber security incident, Staff noted:
There is no bright-line test and the threshold at which a cyber security incident becomes material will vary between issuers and industries.
Determining materiality requires a contextual analysis of the cyber security incident. Staff note that an isolated cyber security incident may not be material but a series of minor incidents may become material, depending on the type of disruption caused.
- Cyber security incidents may not be detected right away, and the severity of the incident may be difficult to determine. Staff therefore remind issuers that determining the materiality of a cyber security incident is necessarily a dynamic process that runs through the detection, assessment and remediation phases.
The CSA expects that issuers that have adopted a cyber security remediation plan address in the plan how the issuer will assess the materiality of a cyber security incident for purposes of determining whether and how to disclose the incident. If an issuer has determined a cyber security incident should be disclosed, Staff recommends that the issuer consider and potentially provide disclosure as to the expected impact and costs of the incident. Similarly, Staff expects that issuers required to establish and maintain disclosure controls and procedures apply those controls and procedures to detected cyber security incidents so as to ensure that any incidents are communicated to management appropriately and disclosure decisions are made in a timely manner.
* * * *
Please contact the authors should you have any questions concerning the Staff Notice or require assistance with cyber security risk factor disclosure, cyber security incident disclosure or cyber security remediation plans.