The Canadian Securities Administrators (CSA) have published a new staff notice to promote cybersecurity awareness, preparedness and resilience in Canadian capital markets and to encourage better disclosure by issuers.
The CSA first published a notice on cybersecurity in 2013, reminding issuers and registrants of the importance of putting into place strong security measures to safeguard themselves and their clients. Issuers were also advised to consider whether and to what extent cybercrime risks, incidents and controls to address such risks should be disclosed in a prospectus or a continuous disclosure filing.
In its new notice, the CSA advises that it considers cybersecurity a priority and expects issuers and registrants to take steps to protect themselves against cyber threats.
The securities regulators will be re-examining issuer disclosure related to cybersecurity in the coming months. As issuers begin to turn their minds to the upcoming annual reporting season, they should assess the cybersecurity risks they face and consider the type and level of disclosure, if any, to include in their MD&A and annual information forms. To the extent that they consider the risk material, issuers should avoid boilerplate and provide cyber risk disclosure that is as detailed and company specific as possible. Issuers should also consider the threshold required to determine that a cyberattack is material and should be disclosed, taking into consideration the impact on its operations, reputation, customers, employees and investors.
In respect of registrants, the CSA advises that it has been gathering data about the cybersecurity practices in place and will continue to discuss cybersecurity policies and procedures with registered firms as part of compliance reviews. Registrants are expected to remain "vigilant," regularly review their cybersecurity risk control measures and update their procedures in accordance with industry best practices.
Part of cybersecurity preparedness for both issuers and registrants includes continually reviewing guidance and best practices from industry associations and tailoring a program to meet the organization's specific needs. The new CSA notice includes links to a number of reference documents that may be useful to issuers and registrants.
The September 2016 CSA Staff Notice 11-332 can be accessed here.
The September 2013 CSA Staff Notice 11-326 can be accessed here.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
nortonrosefulbright.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
