In July 2023, the United States Securities and Exchange Commission (SEC) adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies.
For Canadian issuers filing on Form 40-F under the Multijurisdictional Disclosure System (MJDS) between the United States and Canada, this decision may not apply, but it is possible that Canadian companies will be affected.
I had the privilege of discussing this with Chris Hetner; here are the highlights.
Chris breaks the SEC's decision into two essential components. The first component concerns cybersecurity-focused disclosures in Form 10-K, emphasizing the need for companies to describe how they oversee, manage, and report cybersecurity within the company. Chris stresses the importance of identifying, containing, reporting, and determining the materiality of cybersecurity incidents, taking into account their potential financial and operational impacts. He insists that investors are particularly interested in understanding how companies manage cybersecurity risks alongside other types of risks, such as financial and operational risks. Chris also mentions the growing importance of artificial intelligence and machine learning platforms and suggests that the SEC may want to ensure that companies adequately manage the risks associated with these technologies.
Moving to the second part of the SEC's decision, Chris explains the importance of filing Form 8-K, which concerns incidents resulting from cyber events within organizations. He discusses various types of cyber incidents, including human error, state-sponsored attacks, internal data misuse, and ransomware attacks, highlighting their potential impacts on data security and business continuity. Chris emphasizes the importance for companies to have processes in place to assess the scope and materiality of cyber events, involving multidisciplinary teams and external stakeholders such as the general counsel and outside counsel. He notes that although current Form 8-K disclosures tend to be qualitative, investors are increasingly interested in understanding the financial implications of cyber incidents, such as impacts on stock prices, insurance premiums, customer churn rates, and loss of intellectual property.
The SEC's decision does not apply in the same way to Canada due to the precedence of another disclosure system, but concerns arise regarding Canadian service providers working for American companies. Chris emphasizes the importance of disclosing cyber incidents for Canadian providers working for U.S. publicly traded companies. He insists on the need for increased vendor risk management, including specific standards such as technological controls and incident response plans. Coordination with U.S. entities is crucial to determine the materiality of incidents. Chris suggests increased exercises and simulations between Canadian providers and U.S. companies to ensure synchronized response processes. He concludes that this area requires more attention and highlights the need for additional measures to address cybersecurity risks in the service provider ecosystem.
Chris Hetner
Chris Hetner is a senior executive, a board member, and a cybersecurity leader recognized for elevating cyber risk to the board level to protect industries, infrastructures, and economies. He creates operational resilience by aligning robust cybersecurity strategies with business objectives. Mr. Hetner's professional judgment, combined with a public company perspective and experience with SEC regulation and investor oversight, has enabled him to successfully hold roles within companies and governments. He currently sits on the board of the private equity fund TCIG, is a senior advisor to the Chertoff Group, special advisor for cyber risk to the NACD, head of cybersecurity and privacy at the NASDAQ Center for Board Excellence, and a member of the national board of the Society of Hispanic Professional Engineers.
He was senior cybersecurity advisor to the chairman of the United States Securities and Exchange Commission (SEC) and was responsible for cybersecurity within the SEC's Office of Compliance Inspections and Examinations. He also represented the SEC chairman as a senior member of the committee on financial and banking information infrastructure at the U.S. Department of the Treasury. Among his major contributions are the vision and implementation of the agency's first cybersecurity governance framework, the threat intelligence program, and incident response capabilities. The cybersecurity framework he established improved the national examination program's ability to monitor and respond to cyber risks and cyber threats across the U.S. securities marketplace.
François M. Tremblay
François M. Tremblay is a Senior GRC Advisor who has worked as an IT consultant since 1993. Over the course of his various assignments, he has distinguished himself by his approach and work ethic based on active listening and communication. Having worked for both large and smaller consulting firms, he has had the opportunity to work with clients of all sizes across major industry sectors (insurance, government, healthcare, technology, energy, education, manufacturing, etc.)
Always on the lookout for emerging trends and technologies, his main objective is to work with the organization to find the right balance between risks and opportunities, between compliance, reliability, and business growth. Demonstrating leadership and initiative, he strives to clarify needs and develop suitable, pragmatic solutions. Lively and imaginative, Mr. Tremblay is eager to take on new challenges.
Transform your cybersecurity strategy
Our team of experienced professionals will work closely with you to understand your unique needs and develop tailored solutions that protect your organization against evolving threats.
