A Weekend in Incident Response #16: Canadian Securities Administrators Issues Updated Guide on Disclosure of Cyber Security Risks and Incidents

Posted byDario Forte - 10th Feb 2017
cyber security risks

The Canadian Securities Administrators (CSA) continues to ramp up its efforts for improving cyber security for reporting issuers, which include companies with publicly traded securities. The latest step in this direction is the introduction of the Multilateral Staff Notice 51-347 – Disclosure of cyber security risks and incidents, as an update to the Staff Notice 11-322 – Cyber Security guide issued in September, 2016. Тhe CSA considers cyber security to be one of its top priorities, and these guidelines are meant to help regulated entities mitigate cyber security risks.

The main goal of these latest notices is to regulate the way certain organizations disclose cyber security risks and incidents. Issuers are expected to comply with the obligations prescribed in the Multilateral Staff Notice, which among other things, requires them to file detailed reports on each detected cyber security risk and incident.

Automation Platform for Efficient and Detailed Disclosure

Complying with the continuous disclosure obligations might be difficult for some reporting issuers, as it may require spending a significant amount of time and money, potentially affecting their bottom line. However, there are solutions that can help ease that additional strain. For instance, there are automated platforms that are capable of maintaining complete control over cybersecurity incidents and managing risks.

Using a platform that can predict, detect, and respond to cybersecurity breaches can help organizations contain the damage as results of incidents that have occurred, and reduce the risk of such incidents occurring in the future, while also complying with disclosure obligations.

One of the key capabilities of such platforms in relation to the disclosure obligations is the fact that they can create automated reports for each incident, and track every action that is taken by an organization’s computer security incident response team. These types of features are crucial for every organization’s efforts for complying with the above-mentioned requirements.

Multiple Customizable Report Types

The Multilateral Staff Notice requires reporting issuers to disclose specific and detailed reports on every detected material cyber security risk, while also disclosing what actions they take to mitigate and manage said risks. Furthermore, when disclosing cyber security incidents, issuers are required to notify authorities on the potential impact of an incident and the costs ensuing from it. This is where an automated cyber incident response platform can prove to be very useful to reporting issuers. These platforms are able to create different types of customizable reports, containing detailed information about a given cyber security risk or incident.

For example, they can generate encrypted PDF reports, along with DOC, IODEF, IOC and TXT reports, depending on an organization’s needs during a particular incident. These reports include information such as: incident kind, actions taken, evidence, and time of detection, to name a few.

Utilizing a platform of this type, reporting issuers can have peace of mind that all cybersecurity risks are detected in a timely manner and all incidents are resolved as quickly and effectively as possible, while complying with disclosure obligations in the process.