Canadian Securities Administrators report the findings of their review of the disclosure of cyber security risks and incidents

Securities CSA

Montréal – Staff from the British Columbia Securities Commission, the Ontario Securities Commission and the Autorité des marchés financiers (staff) are publishing today Multilateral Staff Notice 51-347 Disclosure of cyber security risks and incidents (Staff Notice 51-347). The notice reports the findings of a review announced by the Canadian Securities Administrators (CSA) in Staff Notice 11-332 Cyber Security (Staff Notice 11-332) and provides disclosure expectations for reporting issuers based on those findings.

The review found that 61 per cent of the constituents of the S&P/TSX Composite Index acknowledged cyber security as a material risk to their business. Issuers in a wide variety of industries generally disclosed that their dependence on information technology systems renders them at risk for cyber security breaches, and that disruptions due to cyber security incidents could adversely affect their business, results of operation and financial condition.

The notice also provides guidance on risk factor disclosure and incident reporting. As issuers increasingly depend on information technology, and as cyber attacks become more frequent and sophisticated, we expect that issuers will consider their exposure to cyber security risks when preparing their risk factor disclosure. Staff has also provided guidance with respect to reporting material cyber security incidents.

The CSA identified cyber security as a priority area in its 2016-2019 Business Plan. Staff Notice 11-332, published on September 27, 2016, highlighted the importance of cyber security risks for issuers, registrants and regulated entities, and informed stakeholders about recent and upcoming CSA initiatives. With respect to issuers, Staff Notice 11-332 indicated that CSA members would examine the disclosure of some of the larger issuers to analyze what is being disclosed with respect to cyber security risk and cyber attacks. Staff Notice 51-347 is the result of that examination.

The CSA, the council of the securities regulators of Canada’s provinces and territories, co-ordinates and harmonizes regulation for the Canadian capital markets.

- 30 -

For more information:

CSA member name

Point of contact

Phone number

Autorité des marchés financiers

Sylvain Théberge

514-940-2176

British Columbia Securities Commission

Alison Walker

604-899-6713

Ontario Securities Commission

Kristen Rose

416-593-2336