Cybersecurity is identified as a priority in the 2016-2019 business plan of Canadian securities regulators. Recently, they conducted a review of cybersecurity disclosure of the 240 issuers in the S&P/TSX index. Staff Notice 51-347 Disclosure of Cyber Security Risks and Incidents describes the regulators' findings and provides guidance to issuers on disclosure of material cybersecurity information.

Findings on Cybersecurity Disclosure

The regulators collected the following statistics on cybersecurity disclosure by S&P/TSX index issuers:

  • 61% of issuers representing a variety of industries identified cybersecurity as a risk factor.
  • Cyber risks identified by issuers included the potential for reputational damage, confidential information to be compromised, destruction or corruption of data, devaluation of intellectual property, remediation costs, and legal and regulatory liability.
  • Only 30 issuers identified a person, group or committee responsible for cybersecurity risk management. The audit committee was cited most often, while some issuers cited a risk committee, the CFO, the head of information technology, the board of directors or management as a whole.
  • Some issuers disclosed that controls or disaster recovery plans are in place; few issuers disclosed insurance protection, and some disclosed that they may be insufficiently covered for cyber incidents.
  • No issuer disclosed the occurrence of a material cybersecurity breach.

Cybersecurity Disclosure Guidance

The staff notice provides the following guidance to issuers:

  • Cybersecurity disclosure should focus on material, entity-specific information, avoiding boilerplate.
  • Materiality in the context of cybersecurity depends on the probability that a breach will occur and the anticipated magnitude of its effect. Determining materiality is a dynamic process undertaken throughout the detection, assessment and remediation phases.
  • Issuers' disclosure controls and procedures should be applied to cybersecurity incidents to ensure that such incidents are communicated to management and timely decisions are made about whether and what to report.
  • In any remediation plan, issuers should address how materiality of an attack will be assessed. The impact on operations, reputation, customers, employees and investors should be taken into account.
  • If an issuer determines that a cyber incident should be disclosed, it may be appropriate to explain the anticipated impact and cost of the incident.
  • Issuers are not expected to disclose commercially sensitive information or information that could compromise their cybersecurity.
  • When preparing their disclosure, issuers should consider the following factors (several of which are drawn from the International Organization of Securities Commission's 2016 publication Cyber Security in Securities Markets): 
    • the reasons why the issuer is exposed to material cyber risk;
    • the source and nature of the risk and how it may materialize;
    • potential consequences of a cyber breach (e.g., reputational harm, decreased customer confidence, effects on stakeholders or other third parties, costs of remediation, likelihood and costs of litigation, and effects on internal controls);
    • risk mitigation strategy, including the extent of insurance coverage and reliance on third party experts for cybersecurity strategy or remediation;
    • whether a breach has occurred previously and its impact on overall cyber risk; and
    • governance issues, including the committee, group or person responsible for the issuer's cybersecurity and risk mitigation strategy.

Canadian securities regulators plan to continue reviewing issuers' cybersecurity disclosure, including any reports of cyber incidents. To address cybersecurity matters in the capital markets more broadly, the regulators are hosting a roundtable on February 27, 2017 at which market participants will discuss two hypothetical cyber incident scenarios, exploring how the participants would respond as well as opportunities for information sharing and cooperation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.