Blog

Cybersecurity: Regulatory Risks for Canadian Issuers

February 22, 2017

Close

Written By Ruth E. Promislow and Matthew J. Macdonald

In the United States, the Securities Exchange Commission (SEC) has taken an active role in regulating cybersecurity issues. Canadian issuers should be aware that the risk of regulatory enforcement may be coming to Canada.

Recently, the Canadian Securities Administrators (CSA) stated that they "expect Market Participants to take steps to protect themselves against cyber threats." Specific expectations include the following:

The CSA is hosting a cybersecurity roundtable at the Ontario Securities Commission on February 27, 2017. This roundtable follows the publication of the CSA Staff Notice 11-332 Cyber Security.  This event in itself highlights the increasing attention being paid to this issue by Canadian securities regulators.

A review of the recent SEC activity in the United States sheds some light on the extent of regulatory enforcement that may ultimately come to Canada.  

The SEC is currently investigating Yahoo! Inc. (Yahoo) for failure to disclose data breaches to investors. The cyberattack occurred in 2014 and compromised at least 500 million Yahoo users’ data. Yahoo only disclosed the breach in September 2016, and the SEC opened a formal investigation in December 2016. As a result, Yahoo has been subpoenaed for documents to determine whether Yahoo complied with securities laws related to disclosure.

The Yahoo investigation highlights the active role the SEC has taken in regulating cybersecurity.  There are other examples of cases where the SEC has commenced enforcement actions and settled for a paid fine based on alleged failure to properly implement controls to prevent cyberattacks.

The SEC published guidance for public compliance in October 2011, requiring material information about cybersecurity risks to be disclosed if it could affect investors. For the Management Discussion and Analysis and SEC filings, disclosure is critical if the costs or other consequences associated with the cybersecurity risk are likely to materially affect the operations, liquidity, or financial condition of the company. What is "material" under this guidance is not defined.

In Canada, material cybersecurity breaches must be disclosed, as well as material cybersecurity risks. Materiality depends on the context, frequency, scope and type of attack, as well as the timing of the attack, detection, assessment and remediation. The CSA's Staff Notice 11-332 and Multilateral Staff Notice 51-347 outline disclosure expectations. To the extent a cyber risk is a material risk, issuers are to provide a detailed risk disclosure and mitigation strategy. As a part of this, the issuer must consider the impact on the company’s operations and reputation, its customers, employees and investors.

As cyberattacks grow in frequency and severity, and the risks to consumers escalate, organizations must be fully aware of their obligations to develop adequate controls to prevent and respond to attacks, and their potential exposure on the regulatory front and otherwise should they fail to do so.

The Bennett Jones Cybersecurity team has extensive experience with these matters and can help prepare your business in this area.

Author

Related Links



View Full Mobile Experience