New SEC cybersecurity rules for Canadian firms
July 2023, the United States Securities and Exchange Commission (SEC) adopted a ruling on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.
https://www.sec.gov/news/press-release/2023-139
For Canadian issuers reporting on Form 40-F under the U.S.–Canada Multijurisdictional Disclosure System (MJDS), this ruling may not apply but there are still ways, Canadian firm may be impacted.
I had the privilege to chat about that with Chris Hetner.
Chris begins by breaking down the two core components of the SEC ruling. The first component involves disclosures centered on cybersecurity in the 10-K form, emphasizing the need for companies to describe how they oversee, manage, and report cybersecurity within the corporation. Chris highlights the importance of identifying, containing, reporting, and determining the materiality of cybersecurity incidents, considering their potential financial and operational impacts. He stresses that investors are particularly interested in understanding how companies manage cybersecurity risks alongside other types of risks, such as financial and operational risks. Chris also mentions the growing significance of artificial intelligence and machine learning platforms and suggests that the SEC may want to ensure that corporations adequately manage the risks associated with these technologies.
Moving on to the second part of the SEC ruling, Chris explains the significance of the 8-K filing, which pertains to incidents resulting from cyber events within organizations. He discusses various types of cyber incidents, including human error, nation-state attacks, internal misuse of data, and ransomware attacks, highlighting their potential impacts on data security and business continuity. Chris emphasizes the importance of companies having processes in place to assess the magnitude and materiality of cyber events, involving cross-functional teams and external stakeholders such as general counsel and outside counsel. He notes that while current 8-K disclosures tend to be qualitative in nature, investors are increasingly interested in understanding the financial implications of cyber incidents, such as impacts on stock prices, insurance premiums, customer attrition rates, and intellectual property loss.
The SEC ruling's application differs in Canada due to a distinct disclosure system, but concerns arise regarding Canadian service providers working for American companies. Chris highlights the importance of disclosing cyber incidents for Canadian suppliers servicing US publicly traded firms. He emphasizes the need for heightened vendor risk management, including specific standards like technology controls and incident response plans. Coordination with US-based entities is crucial to determine materiality of incidents. Chris suggests increased drills and exercises between Canadian suppliers and US firms to ensure synchronized response processes. He concludes that this area requires more attention and underscores the necessity for additional measures to address cybersecurity risks in the service provider ecosystem.
Chris Hetner is a Senior Executive, Board Director, and leader in Cybersecurity recognized for raising cyber risk to the Corporate Board level to protect industries, infrastructures, and economies. He creates operational resilience by aligning robust Cybersecurity strategies with business objectives. Mr. Hetner’s professional judgment combined with a public company perspective and SEC regulatory and investor oversight experience has led to his success in corporate and government roles. Currently, he is on the board of directors of a PE Fund TCIG, a Senior Advisor for the Chertoff Group, the Special Advisor for Cyber Risk for the NACD, Chair Cybersecurity and Privacy for the NASDAQ Center for Board Excellence and a National Board Member of the Society of Hispanic Professional Engineers.
He served as the Senior Cybersecurity Advisor to the Chair of the United States Securities and Exchange Commission and as Head of Cybersecurity for the Office of Compliance Inspections and Examination at the SEC. He also represented the Chair of the SEC as a senior member of the US Department of the Treasury Financial Banking Information Infrastructure Committee. His greatest contributions included vision for and implementation of the first agency wide Cybersecurity governance structure, threat intelligence program, and incident response capabilities. The Cybersecurity framework he implemented improved the National Examination Program’s ability to monitor and respond to Cyber risks and threats across the US Securities market
François M. Tremblay is a GRC senior advisor working as an IT consultant since 1993, he has distinguished himself during his various assignments, by his approach and work ethic based on active listening and communications. Having worked for big and smaller consulting firms, he had the fortune of working with clients of all sizes in major activity sectors (insurance, government, health, technology, energy, education, manufacturing, etc.)
Always on the lookout to emerging trends and technologies, his main goal is to work with the business to find the right balance between risk and opportunity, between compliance, reliability and business growth. Demonstrating leadership and initiative, he strives to clarify needs and to develop adapted and pragmatic solutions. Quick and imaginative, Mr. Tremblay looks forward to taking on new challenges.
