New US SEC cybersecurity rules for Canadian firms

In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies.

https://www.sec.gov/news/press-release/2023-139

For Canadian issuers reporting on Form 40-F under the U.S.-Canada Multijurisdictional Disclosure System (MJDS), this ruling may not apply, but Canadian companies may be affected.
‍

I had the privilege of discussing it with Chris Hetner, here are the highlights.

Chris breaks down the SEC’s decision into two key components. The first component concerns cybersecurity-focused disclosures in Form 10-Ks, with a focus on the need for companies to describe how they oversee, manage, and report cybersecurity within the company. Chris emphasizes the importance of identifying, containing, reporting, and determining the materiality of cybersecurity incidents, taking into account their potential financial and operational impacts. He emphasizes that investors are particularly interested in understanding how companies manage cybersecurity risks alongside other types of risks, such as financial and operational risks. Chris also mentions the growing importance of artificial intelligence and machine learning platforms and suggests that the SEC may want to ensure that companies are adequately managing the risks associated with these technologies.

Moving on to the second part of the SEC’s decision, Chris explains the importance of the Form 8-K filing, which addresses incidents resulting from cyber events within organizations. He discusses various types of cyber incidents, including human error, nation-state attacks, internal data abuse, and ransomware attacks, highlighting their potential impacts on data security and business continuity. Chris emphasizes the importance of companies having processes in place to assess the magnitude and materiality of cyber events, involving cross-functional teams and external stakeholders such as general counsel and outside counsel. He notes that while current Form 8-K disclosures tend to be qualitative, investors are increasingly interested in understanding the financial implications of cyber incidents, such as impacts on stock prices, insurance premiums, customer attrition rates, and loss of intellectual property.

The SEC’s decision does not apply equally to Canada due to the precedence of another disclosure system, but concerns arise regarding Canadian service providers working for U.S. companies. Chris emphasizes the importance of disclosing cyber incidents for Canadian suppliers working for publicly traded U.S. companies. He emphasizes the need for increased supplier risk management, including specific standards such as technology controls and incident response plans. Coordination with U.S. entities is crucial to determine the materiality of incidents. Chris suggests increased exercises and simulations between Canadian suppliers and U.S. companies to ensure synchronized response processes. He concludes that this area requires further attention and emphasizes the need for additional measures to address cybersecurity risks in the service provider ecosystem.

Chris Hetner is a senior executive, board member, and cybersecurity leader recognized for elevating cyber risk to the board level to protect industries, infrastructure, and economies. He creates operational resilience by aligning robust cybersecurity strategies with corporate objectives. Mr. Hetner's professional judgment, combined with a public company perspective and experience in SEC regulation and investor oversight, has allowed him to successfully serve in corporate and government roles. He currently serves on the board of directors of the private equity fund TCIG, is a senior advisor to The Chertoff Group, a special advisor for cyber risk to the NACD, the chair of cybersecurity and privacy for the NASDAQ Center for Board Excellence, and a national board member of the Society of Hispanic Professional Engineers.

He served as the Senior Cybersecurity Advisor to the Chairman of the U.S. Securities and Exchange Commission (SEC) and as the Cybersecurity Officer in the SEC's Office of Compliance Inspections and Examination. He also represented the SEC Chairman as a Senior Member of the U.S. Department of the Treasury's Committee on Financial and Banking Information Infrastructure. His key contributions included the vision and implementation of the first agency-wide cybersecurity governance structure, threat intelligence program, and incident response capabilities. The cybersecurity framework he established enhanced the National Examination Program's ability to monitor and respond to cyber risks and threats across the U.S. securities market.

François M. Tremblay is a Senior CRM Consultantwho has been working as an IT consultant since 1993. He has distinguished himself, during his various assignments, by his approach and work ethic based on active listening and communication. Having worked for large and smaller consulting firms, he has had the opportunity to work with clients of all sizes in major sectors (insurance, government, healthcare, technology, energy, education, manufacturing, etc.)

Always on the lookout for emerging trends and technologies, his main objective is to work with the organization to find the right balance between risks and opportunities, between compliance, reliability and business growth. Demonstrating leadership and initiative, he strives to clarify needs and develop adapted and pragmatic solutions. Lively and imaginative, Mr. Tremblay is eager to take on new challenges.

‍

‍

‍

‍