Watchdogs eye new rules on ‘material’ risk disclosure
TORONTO Canada’s securities regulators are considering new rules that would require companies to disclose more about how they identify and manage “material” risks from a variety of factors including climate change, cybersecurity, potential free trade barriers, and disruptive technology.
The Canadian Securities Administrators, an umbrella organization for the country’s 13 provincial and territorial capital markets watchdogs, identified the broad focus on risk governance and oversight on Thursday at the conclusion of a yearlong project that looked at current climate change disclosure.
Regulators were considering whether current rules governing disclosure of risks and financial impacts associated with climate change are sufficient, and whether they allow investors to make informed voting and investment decisions.
“The research conducted and extensive feedback received during our consultation led us to believe that new disclosure requirements should be considered as part of corporate governance practices,” said Huston Loke, director of corporate finance at the Ontario Securities Commission.
At the conclusion of the project, the regulators determined that their next steps should broaden the review of disclosure and governance to encompass not only climate change but also hot-button risks such as cyber threats.
Bank of Canada senior deputy governor Carolyn Wilkins warned late last month that the threat of cyber attacks is a growing concern, particularly given the rapid pace of financial innovation and the interconnectedness of a rapidly evolving financial ecosystem.
“Risk is constantly shifting,” she said.
On the regulatory front, stepping up scrutiny of cyber threats is already on the agenda of the investment industry’s self-regulatory agency. The Investment Industry Regulatory Organization of Canada recently told all dealers who are members that they are expected to “promptly report … the occurrence of any cybersecurity incident” to the regulator.
The measure was a stopgap as IIROC prepared proposed amendments to rules that require mandatory reporting of only “certain” cybersecurity incidents.
The proposed new rules, published for industry comment on Thursday, would require dealers to report any cybersecurity incidents within three days of discovering them.
A more detailed report with information including the scope and number of people harmed or inconvenienced would be required within 30 days.
Industry participants have until May 22 to comment on the proposed changes.
“Prompt reporting will enable us to help both the affected firm, and the rest of the industry, guard against attacks,” IIROC said. “It will also allow us to collect data that enables us to evaluate trends on cybersecurity.”
IIROC describes cybersecurity incidents as “any act to gain unauthorized access to, disrupt or misuse a dealer members’s information system or information stored on such information system” in a way that could cause substantial harm or inconvenience to people or have a material impact on the normal operations of the dealer.