Last Thursday, Canadian Securities Administrators issued a Staff Notice to provide reporting issuers with guidance for compliance with continuous disclosure obligations regarding cybersecurity risks and incidents. Material cybersecurity risks, assessed by probability and magnitude, must be disclosed in as much detail and specificity as possible (excluding sensitive information) without the use of boilerplate language. In assessing disclosure obligations, a reporting issuer should consider the reasons for potential exposure, the source and nature of breaches, the potential consequences, the adequacy of preventative measures, and previously reported incidents. The disclosure should also include how the issuer mitigates the risk of cybersecurity incidents, including insurance, and reliance on third-party experts. Material cybersecurity incidents, assessed by whether the incident comprises a material fact or change, must also be disclosed, along with a response plan. It may also be appropriate in the circumstances to disclose information about the anticipated impact and costs of the incident. To ensure compliance with cybersecurity disclosure obligations, as well as director of officer duties, it is crucial that reporting issuers establish a comprehensive program for cybersecurity risk identification and assessment. Read BLG's full comment here. 

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.