CSA Provides Guidance on Disclosure of Cyber Security Risks
On January 19, 2017, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 51-347 Disclosure of cyber security risk and incidents (the “Staff Notice”) reporting on the CSA’s review of cyber security-related disclosure. The notice is part of a series of initiatives being undertaken by Canadian securities regulators to assist market participants in understanding, mitigating and providing effective disclosure of potential cyber security risks.
CSA Staff Review of Cyber Security Disclosure
Cyber security was identified as a priority area by the CSA in their 2016-2019 Business Plan. In September 2016, the CSA published Staff Notice 11-332 Cyber Security, which noted that cyber attacks have become more frequent, complex and costly for organizations. In that context, the CSA announced that it would undertake a review of cyber security-related disclosure by larger Canadian issuers. The CSA’s review focused on whether and how issuers had disclosed (1) potential impacts of cyber attacks on their businesses, (2) the kind of material information that could be exposed as a result of attacks, and (3) governance and cyber security risk mitigation initiatives, including who is responsible for the issuer’s cyber security strategy. The review also searched for disclosure of previous cyber security incidents.
The CSA noted that 61% of the issuers reviewed addressed cyber security in their risk factor disclosure and that issuers in a wide variety of industries acknowledged cyber security as a material risk to their business. Issuers recognized a range of potential impacts from cyber security incidents, including:
- access to, and/or comprising of, proprietary or sensitive information, including confidential customer or employee information;
- loss of revenues due to disruption of business activities;
- litigation and regulatory costs;
- reputational harm affecting customer and investor confidence; and
- devaluation of intellectual property.
The CSA also noted that while a few issuers disclosed that they had been subject to cyber attacks in the past, no issuers had disclosed specific incidents as being material.
CSA Staff Guidance for Issuers
Not surprisingly, the CSA Staff expects issuers to be thoughtful about the cyber security risks they are subject to, to avoid boilerplate language and to provide disclosure that focuses on material information that is specific to the issuer. CSA members expected that to the extent issuers have determined that cyber security risk is a material risk, they will provide risk disclosure that is as detailed and “entity specific” as possible. There is an express expectation that specific risks will be disclosed, rather than generic risks applicable to all issuers, and that disclosure will be tailored to the specific circumstances of the issuer.
In preparing risk factor disclosure regarding cyber security matters, the CSA expects that issuers will consider (among other things):
- the reasons they may be exposed to a potential breach;
- the source and nature of the breaches;
- the potential consequences of the breach;
- insurance coverage in case of the breach;
- identifying the group or individuals responsible for the issuer’s cyber security; and
- where required, apply disclosure controls and procedures under National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings to detected cyber security incidents.
At the same time, the CSA does not expect issuers to disclose sensitive information that could compromise their cyber security risk mitigation strategies.
The CSA also reminds issuers to consider whether a specific security incident might be a material change that requires immediate disclosure or a material fact that requires disclosure as part of issuers’ ongoing reporting obligations. Materiality in this context depends on the circumstances of the security breach. For example, an isolated minor breach may not be material but a series of minor breaches may become material in light of the level of disruption caused. The determination of whether an incident is material is a dynamic process through the detection, assessment and remediation process of a cyber security incident and depending on the circumstances, disclosure could be required before that process is complete.
In light of the CSA’s stated focus on cyber security, the general recognition by all market participants that most entities are subject to some degree of material cyber security risk, and the potential for liability if material cyber security risks are not appropriately disclosed, issuers and their boards of directors would be well advised to formalize their framework for assessing the particular cyber security risks and evaluating and implementing appropriate risk mitigation strategies. This will not only assist issuers in providing timely and effective disclosure, but in developing and implementing effective strategies for mitigating cyber security risk and monitoring possible cyber security breaches.
Expertise
Authors
Insights
-
Financial Services Regulatory
Canadian Securities Administrators Extend Compliance Deadline in Interim Approach to Value-Referenced Crypto Assets
On April 17, 2024, the Canadian Securities Administrators (CSA) provided an update to their interim approach in respect of “Value-Referenced Crypto Assets” (VRCAs), as set out in the CSA’s guidance in… -
Financial Services Regulatory
Obligations and Opportunity - Budget 2024’s Impact on the Blockchain Industry
As crypto-assets become subject to further regulation both domestically and globally, industry players find themselves presented not only with new obligations but also with new opportunities. Canada’s… -
Capital Markets
Public Safety Canada Releases Updated Guidance on Modern Slavery Reporting Obligations
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to… -
Capital Markets
Ontario Court of Appeal Enforces Contractual Waiver of Statutory Dissent Rights
Ontario’s Court of Appeal concluded in a recent decision that, subject to limited exceptions, shareholders can contractually waive statutory “dissent rights”, which allow shareholders to dissent in… -
Capital Markets
CSA Provides Further Updated Guidance on Virtual Shareholder Meetings
On February 22, 2024, the Canadian Securities Administrators (CSA) recently published updated guidance on virtual shareholder meetings following initial guidance provided in February 2022. See… -
Capital Markets
Access Model for prospectuses: Final amendments announced, Law360 Canada
Bill Gorman and Randy McAuley co-authored Access Model for prospectuses: Final amendments announced in Law360 Canada. Excerpt from Access Model for prospectuses: Final amendments…
Featured Work
-
Capital Markets
Dye & Durham’s defence of requisition from Engine Capital
Goodmans is acting for the board of Dye & Durham in connection with a defence of requisition from Engine Capital. The company announced on March 15, 2024 that it had received a letter… -
Capital Markets
Board of WonderFi Technologies Inc.’s proxy defense from KAOS Capital and Mogo
Goodmans is acting for the special committee of the board of WonderFi Technologies Inc in connection with its defense of a proxy contest launched by KAOS Capital and MOGO. KAOS Capital is a… -
Tax
Cineplex announces comprehensive refinancing plan
Goodmans is acting for Cineplex Inc., a leading Canadian entertainment and media company, in connection with its announcement of a comprehensive refinancing plan to improve financial flexibility and… -
Mergers and Acquisitions
Screaming Eagle announces merger with Lionsgate Studios
Goodmans LLP is acting for Screaming Eagle Acquisition Corp. in connection with its proposed merger with the Studio Business of Lionsgate Entertainment Corp., comprised of its Television Studio and… -
Capital Markets
StorageVault convertible debenture offering
Goodmans LLP acted for the underwriters in connection with a public offering by StorageVault Canada Inc. (“StorageVault”) of convertible senior unsecured debentures (the “Debentures”) on a bought deal… -
Capital Markets
E Automotive Inc. equity private placement
Goodmans LLP acted for E Automotive Inc. d/b/a EINC in its non-brokered private placement offering of 4,814,100 common shares ("Shares') to Intercap Equity Inc. at a price of C$4.23 per Share for…
News & Events
-
Banking and Financial Services
Goodmans Lawyers Recognized in the Lexpert Special Edition: Finance and M&A 2024
We are delighted to announce the Lexpert Special Edition: Finance and M&A 2024 once again features Goodmans lawyers among Canada's experts.Congratulations to our 33 featured lawyers:Alan… -
Banking and Financial Services
The Canadian Legal Lexpert Directory 2024 Continues to Recognize Goodmans
We are proud to announce Goodmans LLP has once again been recognized in the 2024 edition of The Canadian Legal Lexpert Directory.91 Goodmans lawyers have been recognized as top-tier in their… -
Banking and Financial Services
Chambers and Partners Continues to Honour Goodmans with Global Recognition
We are proud to announce Goodmans LLP has once again received top-tier recognition from Chambers and Partners in the Chambers Global 2024 Guide released today. Recognition from…