On January 19, 2017, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 51-347 — Disclosure of cyber security risks and incidents to explain CSA’s expectations for continuous disclosure regarding cybersecurity risks and incidents by “reporting issuers” — companies that have issued shares to the public. The Multilateral Staff Notice supplements a previous CSA notice regarding cybersecurity risk management, and provides helpful guidance to assist reporting issuers to comply with their legal obligations to ensure that investors have timely, material information to make informed investment decisions.

To comply with continuous disclosure obligations regarding cybersecurity risks, a reporting issuer will have to establish the kind of risk identification and assessment processes that are an essential component of an effective cyber risk management program. Regulators, industry associations and other organizations have emphasized that all kinds of organizations (not just reporting issuers) should have a documented, comprehensive cyber risk management program.

Read more here.