5 minute read 7 May 2020
ey girl using computer

How TSX 60 companies are approaching cybersecurity-related disclosures

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

Contributors
5 minute read 7 May 2020
Related topics Consulting Cybersecurity

Show resources

  • CPA Cybersecurity disclosure report - May 2020 (PDF)

As cyber threats continue to intensify, so does the focus on corporate disclosures in public filings.

Cyberattacks represent a real threat that companies must consider as a significant element in their enterprise risk management program. Public disclosures present an opportunity for companies to communicate how they are leading the way in responding to cybersecurity and privacy challenges. Transparency demonstrates not only a commitment to care and due diligence, but also to engagement with stakeholders.

As threats to cybersecurity and privacy become more complex and widespread, stakeholders are expected to scrutinize more closely what corporations disclose about cybersecurity in their public filings.

Our Cybersecurity disclosure report forms a wider range of insights on cybersecurity-related disclosures on financial statements of Canada’s top public companies.

Show resources

The cybersecurity and privacy landscape

The 2019 EY CEO Imperative Study revealed that investors and boards expect CEOs to respond to a broad range of global challenges, with cybersecurity topping the list at both the corporate and national levels. In its 2020 Global Risk Report, the World Economic Forum identified the following three most significant technological risks for humanity:

  1. Cyberattacks
  2. Data fraud or theft
  3. Critical information infrastructure breakdown

The Office of the Privacy Commissioner (OPC) is in the middle of a process and a series of public consultations to update Canadian regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • Today, all Canadian companies must notify the OPC of data breaches when they represent a real risk of significant harm to affected individuals.
  • In the near future, amendments to federal privacy regulations that support Canada’s Digital Charter will give more power to individuals, and authorities will align Canada with international privacy standards.

Current disclosure practices

To help inform Canadian companies about the current level of disclosure, EY and the Chartered Professional Accountants Canada (CPA Canada) jointly analyzed cybersecurity- and privacy-related disclosures included in public reports issued by the TSX 60 companies listed by market capitalization as of December 31, 2018. This represents 70% of the TSX market capitalization.

This initiative complements the EY US Center for Board Matters initiatives, which in 2018 began to explore what US public companies are sharing about cybersecurity risk and oversight.

Cybersecurity-related findings from the filing of Canadian public companies:

Cybersecurity related findings

Risk disclosure

After analyzing the results, we found that almost all Canadian organizations reviewed (98%) recognized the relevance of cybersecurity-related risks. The only organization that did not include cybersecurity in the risk disclosure section focused its disclosure on risks that could impact physical assets.

Board oversight

Approximately half (52%) of organizations reviewed have assigned just one committee to oversee cybersecurity matters, while 20% have assigned more than one committee (for a total of 72%). The figure summarizes the committees assigned to this function by the organizations reviewed.

Canadian companies are using both the audit committee (45%) and other committees (47%) to oversee cybersecurity considerations.

Board oversight figure

Nearly three quarters (72%) of Canadian organizations communicate cybersecurity matters to the board, and 67% of organizations specify the frequency with which they report to the board.

Cybersecurity incident management

Just under half (48%) of Canadian organizations disclosed the existence of cybersecurity incident management procedures to deal with unexpected situations directly impacting their electronic data processing activities. These incidents range from minor issues such as information technology devices not working properly to more sophisticated challenges like a distributed denial of service or a privacy breach.

Regarding the use of response planning, disaster recovery or business continuity considerations, the study observed that 42% of organizations have elements to respond to contingencies affecting the operations beyond their electronic data processing capabilities.

More than a third (38%) of organizations disclosed that their preparedness for responding to unexpected situations includes simulations, tabletop exercises, response readiness tests or independence assessments.

Several high-profile cases of cybersecurity breaches have attracted widespread media attention by proving just how damaging cyberattacks can be and by creating a catalyst for change for cybersecurity risk disclosures.
Yogen Appalraju
EY Canada Cybersecurity Leader

Risk management

Education and training to mitigate cybersecurity risks is a prominent method companies are using, mentioned by 47% of organizations. The use of specialized processes and procedures, as well as implementing management systems, are among the key elements used to face these challenges. When specifying the frameworks used to support the cybersecurity strategy, ISO 270001, NIST2 and PCI-DSS3 were mentioned.

Education and training to mitigate cybersecurity risks is a prominent method companies are using,mentioned by 47% of organizations. Cybersecurity and privacy awareness sessions are the most common ways organizations are addressing this.

Only 8% of organizations disclosed their involvement in the development of collaboration initiatives to interact with peers, industry groups or policymakers to share ideas and identify leading practices to respond to cybersecurity challenges. Meanwhile, 5% of organizations use an external cybersecurity advisor.

Privacy

In a time when the Canadian PIPEDA has been amended to make mandatory the notification of data breaches if they represent a real risk of significant harm to the affected individuals, 50% of Canadian organizations identified their interest in effectively responding to privacy regulations, including PIPEDA and the EU’s GDPR, among others.

One-fifth (20%) of all organizations disclosed they have experienced some sort of cyberattack. These organizations belong to different industries, including the financial, retail, consumer products, mining, technology, telecommunications and services sectors. Nine organizations that experienced a cyberattack described it as being non-relevant, while three described how the event was significant for them.

Questions for management and the board to consider

  • Have we documented, and do we fully understand, the cyberspace in which we and our business partners and other stakeholders operate?
  • Have we taken steps to understand investors’ concerns about our exposure to cybersecurity risk and how we should address these concerns in our disclosures?
  • Are we satisfied that cybersecurity risk and its mitigation receive appropriate attention in our governance structure? Is it clear who has the responsibility for overseeing this area?
  • Have we assessed each of our core periodic documents separately for the kind of operational, financial and regulatory cybersecurity risk disclosures required? Do we have procedures in place to revisit this disclosure practice regularly?
  • Have we defined internal procedures for assessing the materiality of cybersecurity breaches or other occurrences?
  • Show article references

    1International Organization for Standardization 27000 series of standards.
    2National Institute of Standards and Technology.
    3Payment card industry – data security standard.

Summary

In a world where it’s not a matter of if you’ll be breached, but when, boards, investors, regulators and other governance stakeholders are becoming increasingly interested in how companies guard against, plan for and respond to cybersecurity threats.

About this article

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

Contributors
Related topics Consulting Cybersecurity