Canadian Securities Administrators Issues Updated Guide on Disclosure of Cybersecurity Risks and Incidents

The Canadian Securities Administrators (CSA) continues to ramp up its efforts for improving cybersecurity for reporting issuers, which include companies with publicly traded securities. The latest step in this direction was the introduction of the Multilateral Staff Notice 51-347 - Disclosure of cyber security risks and incidents, as an update to the Staff Notice 11-322 - Cyber Security guide issued in September, 2016.


Тhe CSA considers cybersecurity as one of its top priorities, and these guidelines are meant to help regulated entities mitigate cyber security risks. The main goal of these latest Notices is to regulate the way certain organizations disclose cybersecurity risks and incidents. Issuers are expected to comply with the obligations prescribed in the Multilateral Staff Notice, which among other things, require them to file detailed reports on each detected cybersecurity risk and incident.


Automation Platform for Efficient and Detailed Disclosure


Complying with the continues disclosure obligations might be difficult for some reporting issuers, as it may require spending a significant amount of time and money, potentially affecting their bottom line. But, there are solutions that can help ease that additional strain. For instance, there are automated platforms that are capable of maintaining complete control over cybersecurity incidents and managing risks.


Using a platform that can predict, detect, and respond to cybersecurity breaches can help organizations contain the damage as results of incidents that have occurred, and reduce the risk of such incidents occurring in the future, while also complying with disclosure obligations.


One of the key capabilities of such platforms in relation to the disclosure obligations is the fact that they can create automated reports for each incident, and track every action that is taken by an organization’s computer security incident response team. These types of features are crucial for every organization’s efforts for complying with the above-mentioned requirements.


Multiple Customizable Report Types


The Multilateral Staff Notice requires reporting issuers to disclose specific and detailed reports on every detected material cybersecurity risk, while also disclosing what actions they take to mitigate and manage said risks. Furthermore, when disclosing cybersecurity incidents, issuers are required to notify authorities on the potential impact of an incident and the costs ensuing from it. This is where an automated cyber incident response platform can prove to be very useful to reporting issuers. These platforms are able to create different types of customizable reports, containing detailed information about a given cybersecurity risk or incident.


For example, they can generate encrypted PDF reports, along with DOC, IODEF, IOC and TXT reports, depending on an organization’s needs during a particular incident. These reports include information such as: incident kind; actions taken; evidence, and time of detection; to name a few.

Utilizing a platform of this kind, reporting issuers can have a peace of mind that all cybersecurity risks are detected in timely manner and all incidents are resolved as quickly and effectively as possible, while complying with disclosure obligations in the process.