Insights Header image
Insights Header image
Insights Header image

The tides are changing for cyber regulation, and you may need to take action in order to stay afloat

April 2017 Securities Bulletin 5 minute read

In 2017 businesses will see significant changes to the cyber regulatory landscape, and Canadian businesses’ cyber protocol will have to adapt accordingly.

This bulletin focuses on two areas of anticipated change. First, securities regulators are stressing the need for issuers to disclose their cybersecurity risks and incidents in their Annual Information Forms, MD&A and other continuous disclosure documents. Second, the new Canadian anti-spam regulations will now permit private actions to be pursued for the sending of commercial electronic messages. These two examples illustrate the diverse ways in which Canadian businesses will need to critically re-assess their cyber activities to respond to changing cyber regulation.

Issuers’ disclosure of cybersecurity risks and incidents

Since the Canadian Securities Administrators (“CSA”) identified cybersecurity as a priority in their 2016-2019 Business Plan, a number of Staff Notices have been published to provide guidance for issuers on the disclosure of their cybersecurity protocols.[1] Based on an assessment of the disclosure practices of 240 reporting issuers, the CSA found that 40% of issuers did not identify cybersecurity as a material risk in their continuous disclosure documents. Considering the rate at which the detection of security incidents has increased, these statistics suggest that reporting issuers are not acknowledging and/or disclosing their vulnerabilities to cybersecurity risks.

The low rate of disclosure may be attributed to the fact that there is no explicit requirement in Canadian securities law for the disclosure of cybersecurity risks; rather, the requirement is that all material risks be disclosed, with materiality being defined as information that a reasonable investor would consider important when deciding whether to invest. As data  breaches are becoming more commonplace, and gaining higher profiles, cybersecurity is expected to become increasingly material to investors.

For example, Yahoo’s handling of their 2013/2014 cyber attacks illustrates how data breaches, public opinion, and securities regulators can become intertwined. Not only did Yahoo’s data breach and public outcry jeopardise their estimated $4.8 billion deal with Verizon, it also led to Verizon receiving a $350 million offset for damages. Subsequently, the U.S. Securities Exchange Commission opened a formal investigation in December 2016 to assess whether Yahoo’s disclosure to investors ought to have occurred earlier.[2] 

While there have only been a limited number of reported data breaches, this is likely to change as well. Issuers should be aware that the long-awaited Digital Privacy Act[3] regulations will likely come into force by the end of this year.[4] It is anticipated that these regulations will require organizations to maintain a record of all breaches, and notify users of any breach that could pose “a real risk or significant harm” to any individual whose personal information was involved in the breach. A failure to handle breaches in accordance with the regulations could result in fines of up to $1,000,000. This means that news of data breaches will garner higher profiles and greater backlash. In 2016, not one of the 240 studied issuers claimed they had a material breach. This is unlikely for 2018 as the new regulations come into effect.

In light of this, issuers should revisit the mechanisms used to assess their disclosure of material risks and what might constitute a material change or fact to merit disclosure. In particular issuers should be aware of the following when preparing risk and incident disclosures:

  • Risk Disclosure: Entity specific and non-boilerplate descriptions of why issuers are exposed to potential breaches, the source and nature of risk, the consequences of a breach, the preventative measures and any mitigation steps will assist issuers in asserting sufficient information was disclosed.
  • Incident Disclosure: While there is no bright line test to know when a data breach constitutes a material change or fact, issuers need to realise that the assessment is a dynamic one and something that is not initially identified as a material change or fact could become one with time. Designating a body, such as the audit committee, to monitor the situation can assist in this process.

In short, issuers need to shift from being reactive to proactive.

Trigger clicking: think before you click

As of July 1, 2017, individuals and organizations can bring a “private right of action” before the courts against those organizations that contravene Canada’s Anti-Spam Law[5] (“CASL”). CASL regulates the sending of commercial electronic messages (“CEMs”) and requires individuals and entities that distribute CEMs to obtain prior consent (direct or implied) from intended recipients.

Given the increase in potential liability, issuers should ensure their policies and procedures are in compliance with CASL.

  • First, firms must have a clear understanding of the breadth of the legislation and how their existing communication with clients can be captured under the law. The broad definition of CEMs is “an electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit”, this includes e-mails, texts, instant messages, and social media messages sent to the electronic addresses of clients.
  • Second, firms should ensure that a clear and comprehensible CASL policy is in place. The policy should delineate the types of communications requiring consent, the processes that must be followed to collect consent from clients, and specify how consent is recorded.
  • Third, the policy should also detail the mechanism to deal with client complaints and how these are addressed. The existence of a policy is increasingly important with the private “right of action” coming into force seeing as organizations can employ a due diligence defence when accused of a violation under CASL.

The potential liability of a private right of action is in addition to the existing enforcement by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada.

CASL infringement is not a small risk by any measure. Court ordered damages can be of up to a $1,000,000 for each day on which a contravention occurred, and the CRTC has already imposed penalties in the millions of dollars. With a few months to go, this is the perfect time to ensure compliance with CASL. For more information visit our bulletin on this issue.


As cyber regulation tries to catch up with the cybersecurity crises that has been picking up steam over the past decade, issuers should review their cybersecurity protocols to ensure compliance with the array of new requirements.

by Jason A. Chertin, Maria Valdivieso and Christie Bates (Student-at-Law)

[1] CSA Multilateral Staff Notice 51-347 – Disclosure of cybersecurity risks and incidents; CSA Staff Notice 11- 332 – Cybersecurity.
[2] Aruna Viswanatha and Robert McMillan , “Yahoo Faces SEC Probe Over Data Breaches”, Wall Street Journal, January 23, 2017.
[3] Digital Privacy Act, SC 2015, c.32.
[5] An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2017

Insights (5 Posts)View More

Featured Insight

Part Three of McMillan’s R. vs Greater Sudbury Webinar

As a follow up to our first two webinars back in December 2023 and February 2024 where we considered the history, details and legal implications of the Supreme Court of Canada’s decision in R. v. Greater Sudbury.

Thursday, June 27, 2024
Featured Insight

Sanctions Enforcement Rising: Border Seizures and Forfeitures, Administrative Penalties and a New Reporting Obligation for Sanctions Evasion Offences

Changes to Canada’s sanctions regime under Bill C-59 will add reporting requirements for importers/exporters, create AMPs, and grant new CBSA seizure powers.

Read More
Jun 13, 2024
Featured Insight

Goodbye CDOR, Hello CORRA: CDOR’s Final Month and CORRA Loan Trends

CDOR will cease being published after June 28, 2024; CORRA is now used in credit agreements with certain trends developing in its use.

Read More
Jun 11, 2024
Featured Insight

Anonymization of Personal Information under Quebec Law

On May 15, 2024, Quebec published its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information.

Read More
Jun 5, 2024
Featured Insight

Far from being FARA – Canada’s Proposed Foreign Influence Transparency Registry Law Leaves the Details for Another Day

Canada's proposed foreign agent registry doesn't mirror the problematic aspects of FARA, but many details are left to future regulations and guidance.

Read More
Jun 5, 2024