Responding to the evolving cyber security landscape and the considerable increase in number of cyber-attacks, the Canadian Securities Administrators (CSA) has published CSA Staff Notice 11-332 Cyber Security (the 2016 Notice) as an update to CSA Staff Notice 11-326 Cyber Security published in September 2013. The 2016 Notice seeks to, among other things, highlight the importance of cyber risks, inform stakeholders about recent and upcoming CSA cyber related initiatives, promote cyber security awareness, preparedness and resilience in Canadian capital markets and communicate general expectations for market participants.
As we previously noted, cyber security was identified as a priority in the CSA 2016-2019 Business Plan. In the coming months, CSA members intend to re-examine large issuers’ disclosure of cyber security risks and controls and, where appropriate, contact such issuers to get a better understanding of their assessment of the materiality of cyber security risks and cyber-attacks. On an ongoing basis, CSA members also intend to gather data about registered firms’ cyber security practices, and enhance cross-border information sharing between regulators related to cyber security. Furthermore, the CSA also intends to hold roundtable sessions to discuss cyber security issues and risks, regulatory expectations and the need for coordination.
While noting that there is no one-size-fits-all approach to cyber security, the CSA expects issuers, registrants and other regulated entities (such as self-regulatory organizations and marketplaces) to take steps to address cyber threats and, with this in mind, the CSA has provided a number of links to existing cyber security resources that market participants may find useful (including the cyber security resources for securities dealers published by IIROC last year). According to these resources, there are a number of steps an entity can take to address cyber security, including the following:
- managing cyber security at an organizational level with responsibility for governance and accountability and board levels;
- organizing cyber security activities at a high level: Identify, Protect, Detect, Respond and Recover;
- establishing and maintaining a robust cyber security awareness program for staff;
- managing cyber security risk exposures that arise from using third-party vendors for services;
- considering methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority (as mentioned in our previous article, since the data breach regulations have still not been released, Canada's PIPEDA breach notice requirements are not yet in effect. Alberta is currently the only province in Canada to have mandatory data breach reporting requirements for all private sector organizations. However, the Privacy Commissioner of Canada has, for some time, encouraged organizations to voluntarily report material information security breaches to the Commissioner (and to notify affected individuals where they face a risk of harm)); and
- establishing plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion.
More specifically, CSA members mentioned that they expect each of the issuers, registrants and regulated entities to take certain steps with respect to cyber threats, which include the following:
- Issuers: To the extent issuers determine that cyber risk is a material risk for their organization, CSA members expect such issuers to provide risk disclosure that is as detailed and entity specific as possible;
- Registrants: CSA members expect registrants to remain vigilant in developing and updating their approach to cyber security hygiene and management, including by reviewing and following guidance issued by Industry Regulatory Organization of Canada (IIROC)) and Mutual Fund Dealers Association (MFDA); and
- Regulated Entities: CSA members expect regulated entities to adopt a cyber security framework provided by a regulatory authority or standard-setting body that is appropriate to their size and scale.
The implications of the 2016 Notice on reporting issuers’ public disclosure will most likely depend on how the CSA staff enforce the guidance provided in the 2016 Notice. It will be interesting to see whether the CSA will follow the approach taken in the United States by the Securities Exchange Commission (SEC) where, following the adoption of its cyber security guidance in 2011, its personnel sent numerous comment letters to large reporting issuers inquiring about their lack of cyber risks and cyber-attacks disclosures. If so, some large reporting issuers should expect correspondence from the CSA inquiring about their cybersecurity risks assessment, risk mitigation and, potentially, their cybersecurity response plan.
While the CSA made it clear that material cyber risks should be disclosed to investors, the 2016 Notice does not provide any guideline to reporting issuers trying to determine what is material as well as how and when to disclose. At a minimum, the CSA expects reporting issuers to go through the process of analyzing their main cyber security risks, considering how these risks apply to their organization compared to other issuers and personalizing their disclosure based on their own cyber risk profile. To be in a position to properly disclose their material cyber risks in the coming 2017 Proxy Season, reporting issuers may want to consider the adequacy and effectiveness of their cybersecurity risk assessment process and the impact that a cybersecurity breach may have on their business sooner rather than later
At the end of the day, in addition to dealing with the difficulty of assessing cyber risks and their materiality, reporting issuers will face another big challenge: finding the balance between providing all material facts to investors, while making sure they do not provide a roadmap of a company’s vulnerabilities to hackers or expose the company to any lawsuits.
For further information, please see CSA Staff Notice 11-332 Cyber Security (September 27, 2016).