61% of companies in the S&P/TSX Composite Index acknowledged cybersecurity as a material risk to their business. This was the main finding of the Canadian Securities Administrators’ (CSA) staff notice on the disclosure of cybersecurity risks and incidents.
However, the CSA’s research is more much more troubling. While the organizations acknowledge a risk, they rarely disclosed the specific risks related to their unique company – only to their industry as a whole. This suggests that publicly-traded companies have very little understanding of the threats that are directly targeted towards them.
The review was commissioned to look at how public companies addressed cybersecurity issues in their risk factor disclosures. This included the risk of a cyberattack.
Only 12% of the companies identified a specific person, group, or committee as being responsible for cybersecurity matters within the organization. For the remaining 49% of companies, it was unknown whether or not anyone was tasked with overseeing cybersecurity and managing proper procedural enforcement. Acknowledging a risk is not enough – actions are needed to ensure maximum protection.
The CSA says that:
“Issuers should consider the reasons they may be exposed to a cyber security breach, the source and nature of the risks, the potential consequences of a cyber security breach, the adequacy of preventative measures, as well as a consideration of prior material cyber security incidents and their effects on the issuer’s cyber security risk. Issuers should also address how they mitigate the risk, including whether and to what extent the issuer maintains insurance covering cyber attacks, or reliance on third party experts for their cyber security strategy or to remediate prior or future cyber attacks. It is also relevant to disclose governance issues, including identifying a committee or person responsible for the issuer’s cyber security and risk mitigation strategy.”
It is our hope that Canada’s publicly traded companies will heed the advice of the CSA. Every potential cybersecurity threat should be identified given each company’s individual situation. The companies should also disclose what they are doing to prevent future attacks without divulging information that could put them more at risk.
Given the very public hackings that hit Sony and the Democratic National Committee recently, the use of email for confidential corporate information exchange should itself be considered a major disclosable risk. Many examples exist to show just how lethal a hacked email can be for a corporation. Investors deserve to know if companies are running this risk and what the possible consequences are in detail.
Similarly, any company that is not using a system to monitor incoming and outgoing electronic communications should disclose the matter as a major risk, given it implies an egregious lack of control over information. Companies should be monitoring the content of all electronic communications on a real-time basis to detect problems. They should also have compliance procedures in place to deal immediately with problems detected and permanent records to demonstrate appropriate supervision. Today, this is the minimum standard. Anything less implies an unacceptable level of risk and must be disclosed to investors.
About Evizone Ltd.
Evizone Ltd. is a revolutionary secure communications, encryption and compliance software and service provider based in Montreal, Quebec, Canada. Evizone offers innovative enterprise solutions in secure messaging (next generation beyond encrypted e mail) and encryption, encryption at rest, regulatory compliance, compliance archiving, WORM compliance, 17a-4 compliance, document life cycle management and communications governance and risk management. Evizone’s services protect organizations through best in class security, encryption, recipient controls, document life cycle management, discovery management, compliance management, compliance archiving, tamper proof WORM and 17a-4 compliance archiving and complete audit records against the enormous damage caused by communications breaches. Evizone’s patented technologies offer a level of security impossible to obtain with conventional or encrypted email and fast, powerful, user friendly compliance archiving. Evizone’s services are immediately available on multiple platforms and provide the strongest commercially available communications security and compliance archiving. You can follow Evizone on Facebook, Twitter, and LinkedIn.
Tom Kott, HATLEY Strategy Advisors, 514.316.7082, firstname.lastname@example.org