01 CSA staff notice 51-347: Disclosure of cybersecurity risks and incidents
As business dependence on technology rises, so does business risk. A 2016 Ponemon Institute study found the average cost of a data breach is US$4 million.
Businesses “are being encouraged, guided and compelled, in some instances, to try to manage those risks in meaningful ways,” says Bradley Freedman, a partner at Borden Ladner Gervais (BLG) in Vancouver.
CSA’s January staff notice on cybersecurity reports on findings from cybersecurity disclosure provided by 240 issuers within the S&P/TSX Composite. It follows last year’s staff notice 11-332 on cybersecurity risk management, and provides guidance for issuers’ disclosure obligations.
CSA found most companies (61%) address cybersecurity in their risk factor disclosure, but only 20% of those issuers identify a person, group or committee responsible for a cybersecurity strategy.
CSA also found few companies disclose their particular vulnerability to cybersecurity incidents (e.g., vulnerable supply chains).
“Disclosures have to be real,” says Freedman, referring to CSA’s guidelines.
“No boilerplate, meaningless statements—that’s not fulfilling your obligation to provide investors with accurate information about material risks,” explains Freedman.
The guidance reflects a general move to transparency, he says. For example, the federal Personal Information Protection and Electronic Documents Act (known as PIPEDA) was amended in 2015 to require disclosure of security incidents regarding personal information when they pose “real risk of significant harm.”
When it comes to reporting incidents, the notice says there’s no bright-line test. Rather, each issuer must determine whether an incident results in a material fact or material change that requires disclosure in accordance with securities legislation.
The work required to provide meaningful risk disclosure and risk management is beneficial, says Freedman. “As an investor, you want to know that a company has acted wisely and prudently to manage risk of all kinds, including cyber risk.”
Along with privacy commissioners and other regulators, “the financial industry is leading the way and establishing benchmarks and best practices in the area of cyber-risk management,” he says.
“Investors and other consumers are going to benefit, because these regulations are setting the bar of what is reasonable care: what a reasonable organization ought to be doing to protect itself; to protect its customers, its trading partners and its investors.”
02 IIROC compliance priorities report
Cybersecurity is also part of IIROC’s compliance priorities for 2016 and 2017. Beginning in 2017, Business Conduct Compliance (BCC) will meet with dealer members not subject to a review that year to determine if any changes have affected their risk rating. IIROC issued risk ratings to each dealer member last year in a cybersecurity report.
As a priority, cybersecurity reflects IIROC’s dual mandate to improve investor protection and foster market integrity, says Julie Mansi, a partner at BLG in Toronto. “Cybersecurity focuses on both sides of the plate,” she says. “It’s for the protection of client data and client function, but also so that the dealer itself is never put in a precarious position.”
Another priority, outsourcing arrangements, also has a cybersecurity focus. “From 2014 to 2017, we have seen this significant focus on what your outsourcing arrangements are; what due diligence are you doing; how are you ensuring that your data is protected,” says Mansi.
The outsourcing focus also shows IIROC recognizes its members have different resources, depending on whether they’re bank-owned dealers or smaller, mid-market participants. In fact, members’ business models are recognized throughout the report.
“IIROC has to be commended in this compliance priority list for clearly not promoting a one-size-fits-all model,” says Mansi.
Even when addressing suitability—a thread running through the entire cybersecurity report—IIROC states that the assessment processes “must be proportionate to the customization/complexity of the firm’s product and account service offerings.” IIROC also recognizes that risk assessment approaches vary across firms.
Regarding registration, IIROC warns it will impose conditions on a dealer member’s membership (e.g., restrictions on opening new accounts or hiring staff) to ensure continuing compliance. It’s a way to address non-compliance without starting enforcement proceedings. Mansi appreciates that flexible approach, and the way it demonstrates the SRO’s role as an active partner with members.
That active partnership is likewise shown through IIROC’s reminder that it arranged a 50% price discount for certain people rewriting regulatory courses within 10 years.
“That’s, on a very practical basis, helpful to the IIROC community,” says Mansi, who saw the discounting gesture as marking IIROC’s evolution from a trade association into its current role as an SRO.
Principled issues, such as suitability for seniors, also benefit from IIROC’s practical focus. For example, BCC examiners will continue to select a percentage of seniors’ accounts to test for suitability. “The principles have always been there,” says Mansi. “The practical implementation […] is coming to the forefront as well.”