Cybersecurity: be aware, prepare and declare

The Canadian Securities Administrators (CSA) have published a new staff notice to promote cybersecurity awareness, preparedness and resilience in Canadian capital markets and to encourage better disclosure by issuers.

The CSA first published a notice on cybersecurity in 2013, reminding issuers and registrants of the importance of putting into place strong security measures to safeguard themselves and their clients. Issuers were also advised to consider whether and to what extent cybercrime risks, incidents and controls to address such risks should be disclosed in a prospectus or a continuous disclosure filing.

In its new notice, the CSA advises that it considers cybersecurity a priority and expects issuers and registrants to take steps to protect themselves against cyber threats.

The securities regulators will be re-examining issuer disclosure related to cybersecurity in the coming months. As issuers begin to turn their minds to the upcoming annual reporting season, they should assess the cybersecurity risks they face and consider the type and level of disclosure, if any, to include in their MD&A and annual information forms. To the extent that they consider the risk material, issuers should avoid boilerplate and provide cyber risk disclosure that is as detailed and company specific as possible. Issuers should also consider the threshold required to determine that a cyberattack is material and should be disclosed, taking into consideration the impact on its operations, reputation, customers, employees and investors.

In respect of registrants, the CSA advises that it has been gathering data about the cybersecurity practices in place and will continue to discuss cybersecurity policies and procedures with registered firms as part of compliance reviews. Registrants are expected to remain “vigilant,” regularly review their cybersecurity risk control measures and update their procedures in accordance with industry best practices.

Part of cybersecurity preparedness for both issuers and registrants includes continually reviewing guidance and best practices from industry associations and tailoring a program to meet the organization’s specific needs. The new CSA notice includes links to a number of reference documents that may be useful to issuers and registrants.

The September 2016 CSA Staff Notice 11-332 can be accessed here.
The September 2013 CSA Staff Notice 11-326 can be accessed here.