Cyber-Security – Consider the Risks and Disclose Accordingly
Businesses are increasingly becoming more reliant on information technology. With that reliance, the impact of data security breaches are becoming more severe. Consequently, the Canadian Securities Administrators have recently announced their intention to make cyber-security a priority in their 2016-2019 business plan. What is the bottom line for directors or officers of Canadian public companies?
- Ensure that the organization’s risk management programs encompass cyber-security due diligence.
- Ensure that the organization is providing adequate resources, financial and otherwise, to properly address cyber-security.
- Ensure that you have clearly established accountability for cyber-security within the organization.
- And if cyber-security risks are material to the organization, and they will be for most, provide appropriate disclosure of those risks in the organization’s public disclosure documents.
Securities Law Background:
There is no specific requirement in Canadian securities law for you to disclose cyber-security risks. The requirement is to disclose the material risks related to your business – risks that a reasonable investor would consider important in making an investment decision. Therefore, as with other operational and financial risks, you should review, on an ongoing basis, the adequacy of your cyber-security, the potential impact on your business of breaches of your cyber-security and public disclosure to your investors of those risks and the potential impact on your business.
You should publicly disclose cyber-security risks, typically in your annual MD&A and AIF, if these risks are significant factors that make an investment in the company speculative or risky. Consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
OSC Staff Guidance:
The Ontario Securities Commission recently provided the following guidance related to cyber-security risk disclosure:
- As issuers are increasingly dependent on information technology to operate their business, and as cyber-attacks are becoming more frequent and sophisticated, we expect that issuers will consider the ways in which, as well as the types of cyber-attacks to which, they are likely to be exposed.
- To the extent that an issuer has determined that cyber-security risk is a material risk, the Canadian Securities Administrators expect risk disclosure that is as detailed and entity specific as possible.
- Materiality in cases of a cyber-security risk turns on an analysis of the probability that a breach will occur, and the anticipated magnitude of its effect.
- We expect issuers to disclose specific risks rather than generic risks common to all issuers. However, we do not expect issuers to disclose details regarding their cyber-security strategy or their vulnerability to cyber-attacks that is of a sensitive nature or that could compromise their cyber-security.
- We expect issuers to consider the factors identified by IOSCO (International Organization of Securities Commissions) when preparing their disclosure. Issuers should consider:
- the reasons they may be exposed to a cyber-security breach,
- the source and nature of the risks,
- the potential consequences of a cyber-security breach,
- the adequacy of preventative measures, and
- prior material cyber-security incidents and their effects on the issuer’s cyber-security risk.
- Issuers should also address how they mitigate the risk, including:
- whether and to what extent the issuer maintains insurance covering cyber-attacks, or
- reliance on third party experts for their cyber-security strategy or to remediate prior or future cyber-attacks.
- It is also relevant to disclose governance issues, including identifying a committee or person responsible for the issuer’s cyber-security and risk mitigation strategy.
- Refer to Chapter 2 of the IOSCO report on cyber security in securities markets
OSC Review of Current Disclosure Practice:
The OSC reviewed the 2016 disclosure of cyber-security risks by the 240 constituents of the S&P/TSX Composite Index and found the following:
- 61% of those issuers (146 out of 240) addressed cyber-security issues in their risk factor disclosure.
- Issuers generally disclosed that their dependence on information technology systems renders them at risk for cyber-security breaches.
- Issuers that recognized the dependence of their business operations on information technology systems disclosed that disruptions due to cyber-security incidents could adversely affect their business, results of operation and financial condition.
- The following frequently identified potential impacts of a cyber-security incident were common to a variety of issuers across different industries:
- compromising of confidential customer or employee information;
- unauthorized access to proprietary or sensitive information;
- destruction or corruption of data;
- lost revenues due to a disruption of activities, incurring of remediation costs;
- litigation, fines and liability for failure to comply with privacy and information security laws;
- regulatory investigations and heightened regulatory scrutiny;
- higher insurance premiums;
- reputational harm affecting customer and investor confidence;
- diminished competitive advantage and negative impacts on future opportunities;
- effectiveness of internal control over financial reporting.
- Some industry and business-specific potential impacts identified by issuers included:
- operational delays, such as production downtimes or plant and utility outages;
- inability to manage the supply chain;
- inability to process customer transactions or otherwise service customers;
- disruptions to inventory management;
- loss of data from research and development activities; and
- devaluation of intellectual property.
Below is an example of cyber-security risk disclosure by of one S&P/TSX Composite Index’s companies in 2016. It does not address all of the points raised by the OSC but it does touch on many of them.
Information Security -- The efficient operation of Suncor’s business is dependent on computer hardware and software systems. Information systems are vulnerable to security breaches by computer hackers and cyberterrorists. We rely on industry-accepted security measures and technology to securely maintain confidential and proprietary information stored on our information systems. However, these measures and technology may not adequately prevent security breaches. There is a risk that any significant interruption or the failure of these systems to perform as anticipated for any reason could disrupt our business and could result in decreased performance, production or increased costs, or could have a material adverse effect on Suncor’s business, financial condition, results of operations and cash flow. In the ordinary course of Suncor’s business, Suncor collects and stores sensitive data, including intellectual property, proprietary business information and personally identifiable information of our employees and retail customers. Despite Suncor’s security measures, Suncor’s information technology and infrastructure may be vulnerable to attacks by hackers and cyberterrorists or breached due to employee error, malfeasance or other disruptions. Andy such breach could compromise Suncor’s networks and the information Suncor stores could be accessed, publicly disclosed or lost or stolen. Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties, disrupt Suncor’s operations and damage Suncor’s reputation, which could have a material effect on Suncor’s business, financial condition, results of operation and cash flow.
Invitation for Discussion:
If you would like to discuss this blog in greater detail, or any other business law matter, please do not hesitate to contact one of the lawyers in the Business Law group at Nerland Lindsey LLP.
Note that the foregoing is for general discussion purposes only and should not be construed as legal advice to any one person or company. If the issues discussed herein affect you or your company, you are encouraged to seek proper legal advice.