Client Notes – Cyber Security and Public Companies

Threats and costs of cyber attacks

According to PwC’s Global State of Information Security Survey 2016, which collected responses from more than 10,000 executives from 127 countries, the total number of security incidents detected by respondents in 2015 was up 38% compared to 2014.

Previous Global State of Information Security Surveys indicate that security incidents have increased 66% on average from year to year from 2009 to 2014. For 2015, around 10% of respondents estimated total financial losses associated with all their security incidents to represent USD$10 million dollars or more. Cost estimates can vary widely depending on methodologies and scope, but they all tend to show these costs to be on a growing trend.

The Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, sponsored by IBM, pegs the average cost of data breaches to a company at USD$3.79 million dollars, a 23 percent increase over the past two years. The Center for Strategic and International Studies estimated in 2014 that the likely annual cost to the global economy from cyber crime is more than USD$400 billion. [1]

What is Cyber Risk?

Cyber risk refers to the potential negative outcomes associated with cyber attacks which can be defined as attempts to compromise the confidentiality, integrity and availability of computer data or systems[2].

Traditionally, safeguards have focused on ensuring the resilience of systems from the occurrence of various technological glitches. There has historically been less focus, however, on failures or incidents that might originate from malicious intent, generally referred to as cyber attacks.

The Canadian Securities Administrators(CSA) identified cyber security as an important issue in 2013 when they published CSA Staff Notice 11-326, Cyber Security (September 26, 2013). Since then, it has been identified as a priority in the CSA 2016-2019 Business Plan. The CSA have issued the following documents which address the topic:

  • CSA Staff Notice 11-332, Cyber Security (September 27, 2015)
  • CSA Multilateral Staff Notice 51-347, Disclosure of cyber security risks and incidents (January 19, 2017)
  • CSA Staff Notice 33-321, Cyber Security and Social Media, (October 19, 2017)

Relevance to Public Companies and other Reporting Issuers (Issuers)

As digital technology plays an expanding role in the way that many Issuers conduct their operations, Issuers face increasing cyber risks. As a result, to comply with securities laws, they must have appropriate policies and controls as well as determine what information they must disclose to investors regarding those risks.

Key Components for Appropriate Policies and Controls

The following components have been identified as key components for planning and preparing for cyber risks:

  1. Identification: governance structure, critical assets (information and systems)
  2. Protection: establishing organizational structure, technical tools (e.g.,anti-virus), training, security bulletins, regular communications
  3. Detection: monitoring to detect abnormal patters of access and other anomalies
  4. Response: incident plans, forensic analysis, communications, recordkeeping, drills
  5. Recovery: plans regarding service levels [3]

Factors Considered for Disclosure of Cyber Risks

Issuers are subject to disclosure requirements by securities regulators. The policy rationale is that having access to information about an issuer that is material, timely and not misleading, enables investors to make more informed decisions on whether to buy, sell or hold that issuer’s securities.

Information that is typically required to be disclosed under securities regulations includes a description of an issuer’s business, financial condition, management, material risks, major shareholders, significant contracts, as well as other information that is material to investors’ investment decisions.

The following have been identified[4] among the factors that issuers should consider when preparing their disclosure, if they have determined that cyber risk is a material risk:

  • the reasons why the issuer is subject to cyber risk;
  • the source and nature of the cyber risk, and how the risk may materialize;
  • the possible outcomes of a cyber incident, including:  effects on the issuer’s reputation and customer confidence; effects on stakeholders and other third-parties; costs of remediation after a breach; litigation, whether brought by parties seeking damages against the issuer or by the issuer against third parties; effects on the issuer’s internal and disclosure controls;
  • the adequacy of preventative measures and management’s strategy for mitigating cyber risk; and
  • whether a material breach has occurred previously and how this affects the issuer’s overall cyber risk.

CSA Review of Disclosure regarding Cyber Risk

The CSA did an issuer-oriented review focused on cyber security in 2016. They reviewed the most recent annual filings of the constituents of the S&P/TSX Composite Index (240 issuers). They published the results in CSA Multilateral Staff Notice 51-347, Disclosure of Cyber Security Risks and Incidents. The report discussed frequently identified potential impacts (for example, unauthorized access, destruction or corruption of data, higher insurance premiums, etc.), governance and risk mitigation strategies (for example, who was in charge, use of controls); and incident disclosure.

CSA Staff stated that they intend to “continue reviewing disclosure of cyber security risks and incident, monitor trend in disclosure and review the extent and timing of reporting of cyber security incidents.”

By Randee Pavalow and Michael Bluestein

[1] The data in this section is from Cyber Security in Securities Markets – An International Perspective (IOSCO, FR02/2016)

[2] The National Institute of Standards and Technology (NIST)’s Glossary of Key Information Security Terms provides the following definition for a cyber attack, which overlaps the concepts mentioned above:

“An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. Source: CNSSI-4009”

[3] Cybersecurity in Securities Markets, (IOSCO, FR02/2016)

[4] These factors were set out in the IOSCO paper (FR02/2016) and adopted in CSA Multilateral Staff Notice 51-347.