On September 22nd, 2016 Yahoo Inc.
("Yahoo") — in the midst of a US$4.8 billion deal
to sell its core business to Verizon Communications Inc. —
disclosed that certain user account information, such as names,
email addresses, telephone numbers, dates of birth and passwords,
were swiped from at least 500 million Yahoo accounts in
2014.1 While the sheer volume of the breach is stunning
in its own right, the delayed disclosure of the breach has spawned
pointed criticism over when exactly Yahoo had knowledge of what is
being branded as the largest data compromise of an email
U.S. Senator Mark Warner penned a public letter to the U.S.
Securities and Exchange Commission ("SEC") urging
regulators to investigate Yahoo over the "associated lack of
disclosure" by the company.2 The SEC has provided
guidance to public companies on cybersecurity disclosures for some
time. In 2011, the Division of Corporation Finance of the SEC
published a guidance which directs public companies to disclose
risks to their cybersecurity, as well as incidents of cyber
breaches, that may have a material impact on the
company.3The Wall Street Journal, citing an
analysis by Audit Analytics, recently reported that just 95 out of
roughly 90,000 publically listed companies in the U.S. informed the
SEC of a cyber breach since January 2010.4
The Yahoo breach has thrust cybersecurity disclosure to the
forefront of securities regulation. On September 27th,
2016 the Canadian Securities Administrators (CSA) offered some
timely guidance to financial market participants on cybersecurity
disclosure when it published CSA Staff Notice 11-332 (the
"2016 Notice").5 The 2016 Notice replaces CSA
Staff Notice 11-326 published on September 26th, 2013
(the "2013 Notice").6
The earlier 2013 Notice asked public companies to consider the
issue of whether a cyber risk or attack facing the issuer qualifies
as a material fact or material change that would need to be
disclosed in either a prospectus or continuous disclosure filing.
Other than directing issuers to approach cybersecurity disclosure
as a question of materiality, there was no direction provided to
issuers on what materiality looked like in the cyber context; nor
was there any guidance on what the content, nature and timing of
cybersecurity disclosure should look like.
The more recent 2016 Notice seeks to provide clearer direction
based on the CSA's review of various issuers' cybersecurity
disclosure. The CSA review discovered that issuers "either did
not have any disclosure or only had non-entity specific,
boilerplate disclosure." The 2016 Notice reports that the CSA
now plans to undertake a closer review of larger issuers to obtain
a better understanding of how the materiality of cyber risks and
attacks are assessed, with the results of that review to be
released at a later date. In the interim, the 2016 Notice advises
that, to the extent that a cyber risk or attack is deemed material,
the CSA expects the disclosure to be "detailed and entity
specific." Public companies should also have a cyber breach
remediation plan in place which explains how the materiality of a
cyber attack would be assessed, for the purposes of determining
"whether and what, as well as when and how, to disclose in the
event of an attack."
Cybersecurity has been identified as a priority in the CSA
2016-2019 Business Plan.7 Public companies should stay
tuned for the results of the CSA review of larger issuers, which
may provide clearer parameters around cyber risks and attacks that
would qualify as material and, consequently, warrant disclosure in
a prospectus or continuous disclosure filing. While public
companies must be diligent in fending off cyber threats, they must
be equally diligent in the assessment, timing and delivery of their
cyber security disclosure.
The use of electronic signatures is becoming increasingly commonplace in commercial transactions, as individuals and businesses capitalize on the administrative efficiency afforded by today’s digital world.
After several months of consultation and deliberations, the Organisation for Economic Co-operation and Development rendered public a revised draft Guidance on Due Diligence for Responsible Business Conduct.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).