Staff from the British Columbia Securities Commission, the Ontario Securities Commission and the Autorité des marchés financiers have published Multilateral Staff Notice 51-347 Disclosure of Cybersecurity Risks and Incidents.
The notice reports the findings of a review announced by the Canadian Securities Administrators (CSA) in Staff Notice 11-332 Cybersecurity (Staff Notice 11-332) and provides disclosure expectations for reporting issuers based on those findings.
Read: CSA announces agenda for cybersecurity roundtable
The review found that 61% of the constituents of the S&P/TSX Composite Index acknowledged cybersecurity as a material risk to business. Issuers in a wide variety of industries generally disclosed that their dependence on information technology systems renders them at risk for cybersecurity breaches, and that disruptions due to cybersecurity incidents could adversely affect their businesses, results of operation and financial conditions.
Read: Top 10 business risks for 2017
The notice also provides guidance on risk-factor disclosure and incident reporting. As issuers increasingly depend on information technology, and as cyber attacks become more frequent and sophisticated, CSA expects issuers will consider their exposure to cybersecurity risks when preparing their risk-factor disclosures. Staff has also provided guidance with respect to reporting material cybersecurity incidents.
Also read: Inform clients about these nefarious threats