New U.S. Bill Proposes Board Level Cybersecurity Expertise - Could Canada Move in the Same Direction?

  • Canada Image

Jan 18, 2016

On January 18, 2016, McCarthy Tétrault LLP issued an article noting that lawmakers in the United States are seeking to force public issuers to disclose cybersecurity expertise at the Board level in an effort to improve cyber governance as the number of reported cyber risk incidents continues to climb. While the Canadian approach to date has been different, Canadian regulators have made clear their expectations that Board-level involvement and engagement is, in their view, critical.

The article discusses draft legislation in the United States in which two Senators have proposed a bi-partisan bill on December 17, 2015 [the Cybersecurity Disclosure Act of 2015] that would require public issuers to disclose the cybersecurity expertise on the issuer’s Board of Directors or explain why cybersecurity expertise on the Board is not necessary. The bill is now before the U.S. Senate Committee on Banking, Housing and Urban Affairs.

The authors of the article note that, presently, no similar legislation exists or is proposed in Canada and, with the exception of financial literacy requirements, Canadian legislation does not mandate specific technical expertise on Boards. However, various regulators have released guidance for their constituents on protecting against cybersecurity risks. For example, on September 26, 2013 the Canadian Securities Administrators (“CSA”) released SN 11-326, Cyber Security which suggests, among other things, that issuers should specifically review their cybercrime risk and regularly review their cybersecurity risk control measures.

It is becoming increasingly common for Canadian reporting issuers to reference cybersecurity risks in their annual securities disclosure documents or public offering documents. In its 2015 Best Practices for Proxy Circular Disclosure Guidance, the Canadian Coalition for Good Governance (“CCGG”) suggests that Boards should disclose the processes used which enable them to identify and monitor risk management efforts. 

Re­view the full article by McCarthy Tétrault LLP.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.