- Securities Alert - Disclosure of Cyber Security Risks
- May 2, 2017 | Authors: Philip Aubry; Dirk Bouwer; Conor J. Cronin; Michael A. Gerrior; Robert P. Kinghan; David Lowdon; Timothy J. McCunn
- Law Firm: Perley-Robertson, Hill & McDougall LLP/s.r.l. - Ottawa Office
- Some guidance from the Canadian Securities Administrators (CSA)
The CSA recently reviewed disclosure provided by constituents of the S&P/TSX Composite Index regarding cyber security risk and cyber-attacks. The CSA believes that issuers in all industries may be exposed to cyber security risk, albeit in different ways.
Risk Factor Disclosure. In general, most issuers disclosed that today’s information technology puts them at risk of cyber security breaches. Some issuers also addressed the risk that third parties could expose them to cyber security issues. Third party security breaches, inadequate levels of cyber security expertise and safeguards of third party partners, and the failure or ending of third party information technology services on which the issuer relies are among those risks. A number of issuers also identified a person, group or committee responsible for governance and mitigation and indicated where controls, such as a disaster recovery plan or controls over unauthorized access have been put in place. Issuers that recognized the dependence of their business operations on information technology systems disclosed that disruptions due to cyber security incidents could adversely affect their business, results of operation and financial condition.
The CSA expect issuers, to the extent that they have determined that cyber security risk is a material risk, to provide risk disclosure that is as detailed and entity specific as possible. Issuers should tailor their disclosure of cyber security risk to their particular circumstances. However, the CSA does not expect issuers to disclose details regarding their cyber security strategy or their vulnerability to cyber-attacks that is of a sensitive nature or that could compromise their cyber security.
Cyber Security Incident Disclosure. The CSA review found that only a few issuers addressed cyber-attack incidents; however none of the disclosure reviewed disclosed such incidents as being material. One of the issuers in the review sample had issued a press release following a data breach resulting in confidential information being accessed and disclosed; however, the issuer did not file a material change report in connection with this incident. Some issuers have disclosed cyber security breaches in their continuous disclosure filings but these incidents were also not treated as material.
The CSA recognizes that cyber security incidents may not be detected until much later than when they occurred, and the consequences of an incident may take time to fully assess. The determination of whether an incident is material is a dynamic process throughout the detection, assessment and remediation phases of a cyber security incident. During that process, the CSA recommends that issuers consider the impact on the company’s operations and reputation, its customers, employees and investors. Where an issuer has determined a cyber security incident should be disclosed, it might be appropriate to consider and provide visibility as to the anticipated impact and costs of the incident.
Cyber security, cyber risks and cyber-attacks are becoming a growing part of our daily work life. Reporting issuers and their boards should adopt measures to ensure the constantly changing nature of these matters, and their effects on the company, are properly disclosed.