SECURITIES REGULATION AND IR

The Canadian Securities Administrators (the “CSA”) Multilateral Staff Notice 51-347 – Disclosure of cybersecurity risks and incidents published January 19, 2017 provides a helpful snapshot of issuers’ cybersecurity-related disclosure and suggests a number of best practices. When read in the context of our changing cyber regulatory landscape and the rise of data breaches, issuers should revisit their disclosure practices.

The cyber landscape in Canada

In its recent White Paper on cybersecurity, the Canadian Chamber of Commerce defined cybersecurity as the protection of computer systems from theft of or damage to the hardware, software or the information on them, as well as from the disruption or misdirection of the services they provide.[1] Adequate preparation to mitigate cyber threats and breaches requires appropriate risk management systems, which necessitates the installation of physical and electronic security arrangements. In the event of an incident, businesses should already have established procedures to notify the relevant authorities. A failed cybersecurity system can cause significant direct costs to businesses, including loss from fraud, reputational damage, and increased infrastructure, training and monitoring expenses. 

Businesses are particular targets of cyber threats and, as each year goes by, the number and dollar value of incidents steadily rises.[2] In a 2016 study cited by the Canadian Chamber of Commerce, cyber incidents were identified as one of the most significant pecuniary threats faced by all sizes of enterprises.[3] 

Cybersecurity as material risk

The CSA identified cybersecurity as a priority in its 2016-2019 Business Plan.[4] This was followed by several Staff Notices, which provided guidance for issuers on the disclosure of their cybersecurity systems.[5] One project undertaken by the CSA involved reviewing the most recent annual filings of 240 constituents of the S&P/TSX Composite Index, including issuers’ annual information forms, management’s discussion and analysis, management information circulars, as well as other filings such as material change reports and news releases. The review’s findings, as summarized in Multilateral Staff Notice 51-347, strongly suggest that many issuers’ standard practices for cybersecurity disclosure are inadequate. The CSA found that close to 40% of issuers did not identify cybersecurity as a material risk in their disclosure. Considering the steady rate at which the detection of security incidents has been increasing, these numbers suggest that many issuers are not acknowledging and/or disclosing their vulnerabilities.

This low rate of disclosure may be attributed to the fact that there is no explicit requirement in Canadian securities law for the disclosure of cybersecurity risks; rather, the requirement is that all material risks be disclosed, with materiality being understood as information that a reasonable investor would consider important when deciding whether to buy, sell or hold securities.[6] Yet as data breaches become more commonplace, and gain higher profile, cybersecurity is expected to become increasingly important to investors.

To provide an example of how significant a cybersecurity breach can be, Yahoo’s handling of its 2013/2014 cyber attacks illustrates how public opinion, securities regulators and data breaches can become intertwined. Not only did Yahoo’s widely reported data breach and the associated public outcry jeopardize its estimated US$4.8 billion deal with Verizon, it also led to Verizon obtaining a US$350 million dollar discount on the purchase price to offset the damages when the deal finally was made. Furthermore, the U.S. Securities Exchange Commission opened a formal investigation in December 2016 to assess whether Yahoo’s disclosure to investors ought to have occurred earlier. [7]

To date, there have only been a limited number of data breaches reported by issuers in Canada; in 2016, not one of the 240 issuers studied by the CSA claimed it had experienced a material data breach. However, issuers should be aware that the long-awaited Digital Privacy Act[8] regulations are expected to come into force by the end of this year.[9] It is anticipated that these regulations will require organizations to maintain a record of all breaches, and notify users of any breach that could pose “a real risk or significant harm” to any individual whose personal information was involved. A failure to handle breaches in accordance with the regulations could result in fines of up to $100,000. This means that news of data breaches can be expected to receive greater attention and potential backlash.

Recommendations for improved disclosure

With cybersecurity in mind, issuers should revisit their procedures to assess disclosure of material risks and what might constitute a material change or material fact, which must be disclosed. In particular, issuers should be aware of the following Staff recommendations when preparing their risk and incident disclosures:

• Risk Disclosure: When assessing whether a cybersecurity risk is sufficiently material to require disclosure, the issuer’s analysis turns on the probability that a breach will occur, and the anticipated magnitude of its effect. Should disclosure be appropriate, it should be specific to the issuer and avoid boilerplate in descriptions of why the issuer is exposed to potential data breaches. Information pertaining to the source and nature of the risk, the potential consequences of a breach, and the preventative measures taken will assist issuers in establishing that sufficient information was disclosed. Further, issuers should address how they intend to mitigate their risks, which can be done by providing information on their cyber-related insurance and, if applicable, their reliance on third party experts for their cyber strategy. While disclosure is to be detailed, issuers are not expected to disclose information regarding their cybersecurity strategy or their particular vulnerabilities if doing so would compromise their security system, or if the information is of a sensitive nature.

• Incident Disclosure: While there is no bright-line test for when a data breach constitutes a material change or material fact, issuers should recognize that the assessment is a dynamic one and something that is not initially identified as a material change or material fact could become one over time. Designating a party or Board committee responsible for monitoring the development of the situation can assist in this process.

As concern over cybersecurity continues to increase and cyber regulation continues to evolve, issuers would be wise to shift from being reactive to proactive in their disclosure practices.

Margaret McNee is a Senior Partner at McMillan LLP. This article was written with the help of Christie Bates, articling student at McMillan LLP in Toronto.