Publicly traded companies governed by the Canadian Securities Administrators (CSA), already under obligations to make a number of other disclosures to shareholders and investors, must now add cyber security to the list.

A staff notice from the CSA in January signalled the start of the disclosure expectations now de rigueur for CSA reporting issuers.

The notice states the CSA had reviewed the most recent annual filings of the 240 companies on the S&P/TSX Composite Index and found that 61% addressed cyber security issues in their risk factor disclosure.

Some of the potential threats identified by the companies include: the compromise of confidential customer or employee information, unauthorized access to proprietary or sensitive information and lost revenues because their business would be interrupted. The regulator also said few issuers provided disclosure on their particular vulnerability to cyber security incidents.

Identify, assess and mitigate risks

This notice follows an earlier one from the CSA in September telling market participants that they must deal with cyber risks and take proper precautions to identify, assess and mitigate those risks, said Bradley Freedman, national leader of Borden Ladner Gervais’ cyber security law group in Vancouver.

Publicly traded companies, including financial services businesses, have had to disclose a number of risks to investors for years – such issues as the hiring or firing of a key person in the company, a major discovery, the release of a product or rules dictated by international regulators.

“The CSA bulletin is just another important reminder that cyber security is a big deal for organizations, companies of all kinds, including reporting issuers and other financial market participants,” said Freedman.

“As issuers increasingly depend on information technology, and as cyber attacks become more frequent and sophisticated, we expect that issuers will consider their exposure to cyber security risks when preparing their risk factor disclosure,” states the notice.

The purpose of the disclosure is to allow those who have been affected by a cyber breach to take timely action as a result, said Freedman. Yahoo was recently taken to task after it revealed in late 2016 that it took three years for the company to discover that details of more than one billion user accounts had been stolen back in 2013.

The guidance provided by the CSA outlines that the disclosure must be company specific – not boilerplate. At the same time, companies will have to walk a fine line so as not to be too specific about where their risks lie.

Walking a fine line

“You have to make disclosures about the cyber risks your business faces and what you’re doing to manage those risks so the investing public can make their decisions based on that information,” he said. “But don’t make disclosures so detailed that you are going to tip off cyber criminals who want to take advantage.”

Reporting issuers will need to identify and assess these risks, as well as any kind of residual risk that may follow before they can decide on what they should tell investors, said Freedman.

And the company only has to report to investors what it considers issues that are “material.” Freedman said there are well-established tests for what is material, particularly whether it might be reasonable to expect the release of the information to have an effect on the stock market value of the company’s shares.

“The challenge is applying the test to that fact but sometimes a small little cyber incident is an indication of a bigger systemic problem,” said Freedman. “Reporting issuers have to be mindful of this and make honest disclosures of material facts so investors can make proper decisions. The good thing about this staff notice is that in order to comply, reporting issuers are going to have to take measures to make sure they are properly addressing cyber risks.”

Rules coming for businesses

In addition to the new CSA obligation to disclose cyber security issues, there are also conditions businesses need to comply with both in Alberta and soon-to-come federal requirements.

Alberta’s Personal Information Protection Act requires disclosures of certain security breaches with regards to personal information if a threshold is reached.

Also, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require certain security breaches be disclosed to regulators, including the Privacy Commissioner, as well as affected individuals and organizations.

Under these rules, a breach may occur if an employee loses a laptop, not necessarily because of a hacker or cyber criminal. “That’s one source of cyber risk – but not the only one,” said Freedman. “Lots of information security incidents occur because of mistakes caused by employees who are just trying to do their best or by insiders who are malicious.”

The new – and forthcoming – requirements will require those companies that are not yet providing continuous and timely disclosure to come up with a plan of action.

Not a one-time event

“It’s not difficult in terms that there is some magic there but it will be difficult in the sense that to do it and to do it properly is going to take time and effort. Protecting against cyber risks, identifying, assessing, treating, remediating – it’s a continuous process, it’s not a one-time event.”

Many large, publicly traded companies already have chief information security officers who have worked on these issues. In its notice, the regulators said about 20% of the issuers who had addressed cyber security in their disclosure had identified a person, group or committee to be responsible.

But other organizations that don’t yet have the people or the processes in place will have to get their houses in order and this could be costly and take time, said Freedman.

“At the end of the day those organizations are going to be better off and their shareholders and investors will be better off because the organizations will have some protection against the catastrophic consequences that could result from a cyber incident.”

In December 2015, the Investment Industry Regulatory Organization of Canada (IIROC) released cyber risk management guidance that it described as voluntary. It outlined the importance of a sound governance framework, a well-trained staff and the importance of exercising strong due diligence when working with third-party vendors.