Securities Alert – Disclosure of Cyber Security Risks
Some guidance from the Canadian Securities Administrators (CSA)
The CSA recently reviewed disclosure provided by constituents of the S&P/TSX Composite Index regarding cyber security risk and cyber-attacks. The CSA believes that issuers in all industries may be exposed to cyber security risk, albeit in different ways. Their review covers a number of different areas that are briefly addressed here.
Risk Factor Disclosure. In general, most issuers disclosed that today’s information technology puts them at risk of cyber security breaches. Some issuers also addressed the risk that third parties could expose them to cyber security issues. Third party security breaches, inadequate levels of cyber security expertise and safeguards of third party partners, and the failure or ending of third party information technology services on which the issuer relies are among those risks. A number of issuers also identified a person, group or committee responsible for governance and mitigation and indicated where controls, such as a disaster recovery plan or controls over unauthorized access have been put in place. Issuers that recognized the dependence of their business operations on information technology systems disclosed that disruptions due to cyber security incidents could adversely affect their business, results of operation and financial condition.
The CSA expect issuers, to the extent that they have determined that cyber security risk is a material risk, to provide risk disclosure that is as detailed and entity specific as possible. Issuers should tailor their disclosure of cyber security risk to their particular circumstances. However, the CSA does not expect issuers to disclose details regarding their cyber security strategy or their vulnerability to cyber-attacks that is of a sensitive nature or that could compromise their cyber security.
Cyber Security Incident Disclosure. The CSA review found that only a few issuers addressed cyber-attack incidents; however none of the disclosure reviewed disclosed such incidents as being material. One of the issuers in the review sample had issued a press release following a data breach resulting in confidential information being accessed and disclosed; however, the issuer did not file a material change report in connection with this incident. Some issuers have disclosed cyber security breaches in their continuous disclosure filings but these incidents were also not treated as material.
The CSA recognizes that cyber security incidents may not be detected until much later than when they occurred, and the consequences of an incident may take time to fully assess. The determination of whether an incident is material is a dynamic process throughout the detection, assessment and remediation phases of a cyber security incident. During that process, the CSA recommends that issuers consider the impact on the company’s operations and reputation, its customers, employees and investors. Where an issuer has determined a cyber security incident should be disclosed, it might be appropriate to consider and provide visibility as to the anticipated impact and costs of the incident.
Cyber security, cyber risks and cyber-attacks are becoming a growing part of our daily work life. Reporting issuers and their boards should adopt measures to ensure the constantly changing nature of these matters, and their effects on the company, are properly disclosed.
For more than 40 years, Perley-Robertson, Hill and McDougall has provided financing solutions to a wide variety of clients, including privately held companies, public companies, reporting issuers and companies listed on NASDAQ, the Toronto Stock Exchange, the TSX Venture Exchange and various OTC and private markets. In addition to providing advice on securities registration and compliance, we have completed venture capital funding transactions, debt and/or equity private placements, initial public offerings, prospectus offerings, capital pool company listings and qualifying transactions, reverse takeovers and limited partnership fundings. Whatever your financing requirements, we are confident we can find a cost efficient solution tailored to your needs.
Contact us today and speak with a member of our securities law team.