On Sept. 22, 2016, Yahoo Inc. (Yahoo) — in the midst of a US$4.8 billion deal to sell its core business to Verizon Communications Inc. — disclosed that some user account information, such as names, email addresses, telephone numbers, dates of birth and passwords, were swiped from at least 500 million Yahoo accounts in 2014.1
While the sheer volume of the breach is stunning in its own right, the delayed disclosure has spawned pointed criticism over when exactly Yahoo knew about what is being branded as the largest data compromise of an email provider to date.
U.S. Senator Mark Warner penned a public letter to the U.S. Securities and Exchange Commission (SEC), urging regulators to investigate Yahoo over the "associated lack of disclosure" by the company.2 The SEC has provided guidance to public companies on cybersecurity disclosures for some time.
In 2011, the SEC’s Division of Corporation Finance published a guidance directing public companies to disclose cybersecurity risks, as well as incidents of cyber breaches, that may have a material impact on the company.3 The Wall Street Journal, citing an analysis by Audit Analytics, recently reported that just 95 out of roughly 90,000 publicly-listed companies in the U.S. informed the SEC of a cyber breach since January 2010.
The Yahoo breach has thrust cybersecurity disclosure to the forefront of securities regulation. On Sept. 27, 2016, the Canadian Securities Administrators (CSA) offered guidance to financial market participants on cybersecurity disclosure when it published CSA Staff Notice 11-332 (the 2016 Notice). The 2016 Notice replaces CSA Staff Notice 11-326 published on Sept. 26, 2013 (the 2013 Notice).
The 2013 Notice asked public companies to consider whether a cyber risk or attack facing the issuer qualifies as a material fact or material change that would need to be disclosed in either a prospectus or continuous disclosure filing. Other than directing issuers to approach cybersecurity disclosure as a question of materiality, there was no direction provided to issuers on what materiality looked like in the cyber context; nor was there any guidance on what the content, nature and timing of cybersecurity disclosure should look like.
The 2016 Notice seeks to provide clearer direction based on the CSA's review of various issuers' cybersecurity disclosure. The CSA review noted that issuers "either did not have any disclosure or only had non-entity specific, boilerplate disclosure." The 2016 Notice reports that the CSA plans to undertake a closer review of larger issuers to obtain a better understanding of how the materiality of cyber risks and attacks are assessed, with the results of that review to be released at a later date.
In the interim, the 2016 Notice advises that, to the extent that a cyber risk or attack is deemed material, the CSA expects the disclosure to be "detailed and entity specific." Public companies should also have a cyber breach remediation plan in place which explains how the materiality of a cyber attack would be assessed, for the purposes of determining “whether and what, as well as when and how, to disclose in the event of an attack."
Cybersecurity has been identified as a priority in the CSA 2016-2019 Business Plan. Public companies should stay tuned for the results of the CSA review of larger issuers, which may provide clearer parameters around cyber risks and attacks that would qualify as material and, consequently, warrant disclosure in a prospectus or continuous disclosure filing. While public companies must be diligent in fending off cyber threats, they must be equally diligent in the assessment, timing and delivery of their cyber security disclosure.
For a more detailed discussion of the 2016 Notice, please refer to "Cyber Risk Management — Regulatory Guidance from the Canadian Securities Administrators."
BLG’s cybersecurity lawyers are here to help you navigate cybersecurity laws and disclosure requirements in Canada. Reach out to anyone on our experienced team for assistance.