CSA Provides Guidance on Disclosure of Cyber Security Risks
On January 19, 2017, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 51-347 Disclosure of cyber security risk and incidents (the “Staff Notice”) reporting on the CSA’s review of cyber security-related disclosure. The notice is part of a series of initiatives being undertaken by Canadian securities regulators to assist market participants in understanding, mitigating and providing effective disclosure of potential cyber security risks.
CSA Staff Review of Cyber Security Disclosure
Cyber security was identified as a priority area by the CSA in their 2016-2019 Business Plan. In September 2016, the CSA published Staff Notice 11-332 Cyber Security, which noted that cyber attacks have become more frequent, complex and costly for organizations. In that context, the CSA announced that it would undertake a review of cyber security-related disclosure by larger Canadian issuers. The CSA’s review focused on whether and how issuers had disclosed (1) potential impacts of cyber attacks on their businesses, (2) the kind of material information that could be exposed as a result of attacks, and (3) governance and cyber security risk mitigation initiatives, including who is responsible for the issuer’s cyber security strategy. The review also searched for disclosure of previous cyber security incidents.
The CSA noted that 61% of the issuers reviewed addressed cyber security in their risk factor disclosure and that issuers in a wide variety of industries acknowledged cyber security as a material risk to their business. Issuers recognized a range of potential impacts from cyber security incidents, including:
- access to, and/or comprising of, proprietary or sensitive information, including confidential customer or employee information;
- loss of revenues due to disruption of business activities;
- litigation and regulatory costs;
- reputational harm affecting customer and investor confidence; and
- devaluation of intellectual property.
The CSA also noted that while a few issuers disclosed that they had been subject to cyber attacks in the past, no issuers had disclosed specific incidents as being material.
CSA Staff Guidance for Issuers
Not surprisingly, the CSA Staff expects issuers to be thoughtful about the cyber security risks they are subject to, to avoid boilerplate language and to provide disclosure that focuses on material information that is specific to the issuer. CSA members expected that to the extent issuers have determined that cyber security risk is a material risk, they will provide risk disclosure that is as detailed and “entity specific” as possible. There is an express expectation that specific risks will be disclosed, rather than generic risks applicable to all issuers, and that disclosure will be tailored to the specific circumstances of the issuer.
In preparing risk factor disclosure regarding cyber security matters, the CSA expects that issuers will consider (among other things):
- the reasons they may be exposed to a potential breach;
- the source and nature of the breaches;
- the potential consequences of the breach;
- insurance coverage in case of the breach;
- identifying the group or individuals responsible for the issuer’s cyber security; and
- where required, apply disclosure controls and procedures under National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings to detected cyber security incidents.
At the same time, the CSA does not expect issuers to disclose sensitive information that could compromise their cyber security risk mitigation strategies.
The CSA also reminds issuers to consider whether a specific security incident might be a material change that requires immediate disclosure or a material fact that requires disclosure as part of issuers’ ongoing reporting obligations. Materiality in this context depends on the circumstances of the security breach. For example, an isolated minor breach may not be material but a series of minor breaches may become material in light of the level of disruption caused. The determination of whether an incident is material is a dynamic process through the detection, assessment and remediation process of a cyber security incident and depending on the circumstances, disclosure could be required before that process is complete.
In light of the CSA’s stated focus on cyber security, the general recognition by all market participants that most entities are subject to some degree of material cyber security risk, and the potential for liability if material cyber security risks are not appropriately disclosed, issuers and their boards of directors would be well advised to formalize their framework for assessing the particular cyber security risks and evaluating and implementing appropriate risk mitigation strategies. This will not only assist issuers in providing timely and effective disclosure, but in developing and implementing effective strategies for mitigating cyber security risk and monitoring possible cyber security breaches.
Expertise
Authors
Insights
-
REITS and Income Securities
The Legal Industry Reviews Edition 5 - REITs Chapter
Stephen Pincus, Brenda Gosselin, and Bill Gorman have co-authored The Canadian REIT Structure in the fifth edition of The Legal Industry Reviews Canada.To view the… -
Financial Services Regulatory
Canadian Securities Administrators Extend Compliance Deadline in Interim Approach to Value-Referenced Crypto Assets
On April 17, 2024, the Canadian Securities Administrators (CSA) provided an update to their interim approach in respect of “Value-Referenced Crypto Assets” (VRCAs), as set out in the CSA’s guidance in… -
Financial Services Regulatory
Obligations and Opportunity - Budget 2024’s Impact on the Blockchain Industry
As crypto-assets become subject to further regulation both domestically and globally, industry players find themselves presented not only with new obligations but also with new opportunities. Canada’s… -
Capital Markets
Public Safety Canada Releases Updated Guidance on Modern Slavery Reporting Obligations
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to… -
Capital Markets
Ontario Court of Appeal Enforces Contractual Waiver of Statutory Dissent Rights
Ontario’s Court of Appeal concluded in a recent decision that, subject to limited exceptions, shareholders can contractually waive statutory “dissent rights”, which allow shareholders to dissent in… -
Capital Markets
CSA Provides Further Updated Guidance on Virtual Shareholder Meetings
On February 22, 2024, the Canadian Securities Administrators (CSA) recently published updated guidance on virtual shareholder meetings following initial guidance provided in February 2022. See…
Featured Work
-
Capital Markets
RioCan REIT issues private placement offering of $300 million debentures
Goodmans LLP advised RioCan REIT in connection with a transaction that involved a brokered private placement offering of $300 million principal amount of Series AK senior unsecured debentures by… -
Mining
Hudbay Minerals completes US$402 million bought deal equity offering
Goodmans LLP advised Hudbay Minerals Inc. in the public offering of its common shares for aggregate gross proceeds of US$402,477,000, including the full exercise of the underwriters’ overallotment… -
Mergers and Acquisitions
Screaming Eagle merges with Lionsgate Studios
Goodmans LLP acted for Screaming Eagle Acquisition Corp. in connection with its merger with the Studio Business of Lionsgate Entertainment Corp., comprised of its Television Studio and Motion Picture… -
Capital Markets
Dye & Durham’s defence of requisition from Engine Capital
Goodmans LLP is acting for the board of Dye & Durham in connection with a defence of requisition from Engine Capital… -
Capital Markets
Board of WonderFi Technologies Inc.’s proxy defense from KAOS Capital and Mogo
Goodmans LLP is acting for the special committee of the board of WonderFi Technologies Inc in connection with its defense of a proxy contest launched by KAOS Capital and MOGO. KAOS Capital is a… -
Tax
Cineplex announces comprehensive refinancing plan
Goodmans LLP is acting for Cineplex Inc., a leading Canadian entertainment and media company, in connection with its announcement of a comprehensive refinancing plan to improve financial flexibility…
News & Events
-
Banking and Financial Services
Goodmans Lawyers Recognized in the Lexpert Special Edition: Finance and M&A 2024
We are delighted to announce the Lexpert Special Edition: Finance and M&A 2024 once again features Goodmans lawyers among Canada's experts.Congratulations to our 33 featured lawyers:Alan… -
Banking and Financial Services
The Canadian Legal Lexpert Directory 2024 Continues to Recognize Goodmans
We are proud to announce Goodmans LLP has once again been recognized in the 2024 edition of The Canadian Legal Lexpert Directory.91 Goodmans lawyers have been recognized as top-tier in their… -
Banking and Financial Services
Chambers and Partners Continues to Honour Goodmans with Global Recognition
We are proud to announce Goodmans LLP has once again received top-tier recognition from Chambers and Partners in the Chambers Global 2024 Guide released today. Recognition from…