Although most companies are potential targets for hackers, a new review of issuer disclosure from three of Canada’s largest provincial securities commissions finds that most firms aren’t yet providing much specific information about their cybersecurity efforts and possible breaches.
The review of 240 issuers from three of the largest members of the Canadian Securities Administrators (CSA) — the B.C. Securities Commission, the Ontario Securities Commission and the Autorité des marchés financiers — found that 61% identify cybersecurity as a material risk to their business.
However, few of these firms provide specific insight into their particular vulnerability to cybersecurity incidents while only 20% of the issuers that address cybersecurity in their disclosure identify a specific person, group or committee with responsibility in this area.
In general, disclosure in this area should focus on material, firm-specific information and “avoid boilerplate language,” the CSA says.
“While we acknowledge that exposure to cybersecurity risks may be common to all issuers in every industry, issuers should bear in mind that one of the purposes of risk factor disclosure is to allow the reader to distinguish one issuer from another, within the same industry or across industries, in terms of the level of exposure, the level of preparedness and how the risk impacts the issuer,” the regulators’ report states.
The CSA report also stresses that issuers with material cybersecurity risks should provide disclosure that’s “as detailed and entity specific as possible,” but that they don’t expect disclosure that would compromise security.
“Issuers should also address how they mitigate the risk, including whether and to what extent the issuer maintains insurance covering cyberattacks, or reliance on third party experts for their cybersecurity strategy,” the CSA report notes.
Only a few firms admit they have suffered cyberattacks and only one said that it was a material breach, the report says.
“In considering whether and when to disclose a cybersecurity incident, the issuer must determine whether it’s a material fact or material change that requires disclosure in accordance with securities legislation,” the CSA report says. “Materiality depends on the contextual analysis of the cybersecurity incident.”
The regulators’ report indicates that their staffs will continue reviewing “disclosure of cybersecurity risks and incidents, monitor trends in disclosure and review the extent and timing of reporting of cybersecurity incidents.”
The CSA will hold a cybersecurity roundtable in February to examine how various components of the financial services sector would respond to a cyberbreach.
Photo copyright: loewolfert/123RF