Staff from the British Columbia Securities Commission, the Ontario Securities Commission
and the Autorité des marchés financiers have released Multilateral Staff Notice 51-347: Disclosure of cyber security risks and incidents
, which reports findings of a recent CSA review of issuers regarding cyber security concerns.
Out of the 240 members of the S&P/TSX Composite Index surveyed, 146, or 61%, addressed cyber security issues in their risk factor disclosures, the CSA found in their review. Generally, a dependence on IT systems put issuers from a wide variety of industries at risk for breaches, which could adversely affect their business, operational results, and financial condition.
The notice also gives guidance on risk factor disclosure and incident reporting. “As a general principle, disclosure should focus on material and entity specific information, and avoid boilerplate language,” the notice said. “[E]xposure to cyber security risks may be common to all issuers in every industry, [but] one of the purposes of risk factor disclosure is to allow the reader to distinguish one issuer from another… in terms of the level of exposure, the level of preparedness and how the risk impacts the issuer.”
Issuers are further instructed to consider factors identified by the International Organization of Securities Commissions (IOSCO) when preparing disclosures, which include reasons for their exposure, the source and nature of the cyber risks they face, and potential consequences, among others.
“In considering whether and when to disclose a cyber security incident, the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation,” the notice said, referring in particular to National Policy 51-201, Part 1(f) of Form 51-102F1 Management’s Discussion & Analysis
, and Part 1(e) of Form 51-102F2 Annual Information Form of Regulation 51-102 respecting Continuous Disclosure Obligations
There is no bright-line test for materiality of incidents, the notice acknowledged; timing, frequency, and impact of the incident are among the factors to be considered in determining whether it is material enough to be reported.
“Staff intends to continue reviewing disclosure of cyber security risks and incidents, monitor trends in disclosure and review the extent and timing of reporting of cyber security incidents,” the report said.
2017 compliance priorities announced
Protect yourself and your clients from the lurking cybercriminals