Skip to content.

Is Cyber-Related Securities Litigation Coming to Canada?

This article originally appeared in our Canadian Securities Litigation: Trends to Watch 2023 publication, which provides an in-depth overview of the most significant developments in the Canadian securities litigation landscape in 2022 and trends to watch for in 2023. Download the full publication here.

 

The prevalence and sophistication of cyber attacks is an emergent risk for public companies and other capital market participants. Cybersecurity incidents can have significant financial, operational, legal and reputational impacts. As a result, there is heightened scrutiny by stakeholders and regulators of cybersecurity-related disclosures, including disclosure of risk mitigation controls, strategy and governance and timely disclosure of cybersecurity incidents.

Even in the absence of more prescriptive regulatory requirements, stakeholders are increasingly challenging the adequacy of cybersecurity-related disclosures following a cybersecurity incident, both through class action litigation and complaints to regulators.

This growing trend in cybersecurity disclosure-related litigation has not yet reached Canada, but Canadian companies should be watching. Cybersecurity class action litigation in Canada has generally advanced liability theories based only on harm to individuals whose information was impacted, not harm to shareholders as a result of misleading or inaccurate cybersecurity-related disclosure. The landscape is different in the United States, where cybersecurity-related disclosure securities class actions are a developing area for plaintiff’s counsel.

Enhanced cybersecurity disclosure requirements will increase the risk of litigation, including class actions and securities enforcement action. Although Canadian securities regulators have not proposed nor implemented any enhanced mandatory cybersecurity-related disclosure requirements for public companies or registrants, we anticipate that the cybersecurity disclosure requirements implemented or proposed in other jurisdictions may prompt Canadian developments.

In Canada, Regulatory Guidance but No Rules

Canadian public issuers are required to disclose material risks affecting their business (including the financial impacts of such risks, where practicable) as well as any material change in their business, operations or capital that would reasonably be expected to have a significant effect on the market price or value of any of the securities of the company.[i] Canadian registered advisors, dealers and investment fund managers are also required to establish a system of controls to ensure compliance with securities legislation and manage the risks associated with the business in accordance with prudent business practices.[ii]

Any material cybersecurity risks or cybersecurity incidents must be disclosed under general disclosure requirements. However, Canadian securities regulators have not imposed enhanced mandatory disclosure about cybersecurity risk management, a company’s cybersecurity posture or cyber attacks. To date, Canadian securities regulators have only published guidance which sets outs regulatory expectations for issuers’ cybersecurity-related disclosures (published in 2017)[iii], including:

  • risk governance and risk mitigation strategy (including to what extent the issuer maintains insurance for cybersecurity incidents and its reliance of third party experts for cybersecurity strategy or remediation of cyber incidents);
  • specific, detailed disclosure of material cybersecurity risks with determination of materiality requiring assessment of both the probability of cybersecurity incident(s) and the anticipated magnitude of the incident;
  • maintenance of internal controls and procedures designed to ensure that detected cybersecurity incidents are communicated to management for timely disclosure decisions; and
  • material cybersecurity incidents, including if appropriate disclosure of the anticipated impact and costs of the incident, with materiality determination based on a contextual analysis of the incident and related circumstances, including impact on operations and reputation, customers, employees and investors, throughout the different phases of detection, assessment and remediation of the issuer’s incident response process.

Canadian securities regulators expectations for registered dealers, advisors and investment fund managers, include that such registrants have an obligation to:

  1. maintain cybersecurity policies and procedures;
  2. conduct frequent, adequate training for all employees;
  3. perform annual cybersecurity risk assessments;
  4. prepare and implement a cybersecurity incident response plan;
  5. ensure oversight and evaluation of the adequacy of third party service providers’ cybersecurity practices;
  6. implement data protection measures; and
  7. review the adequacy of insurance coverage for cybersecurity incidents.

While such guidance is not a mandatory disclosure rule, Canadian securities regulators apply the guidance “when assessing how firms comply with their obligations to manage the risks associated with their business”.[iv]

The TSX also does not have prescriptive cybersecurity disclosure requirements, but provides guidance in the context of ESG disclosure that encapsulates cybersecurity. The TSX lists cybersecurity and data privacy as a ‘social’ factor that may be material for issuers and thereby trigger disclosure requirements.[v] The TSX notes, “The fundamental principle is that issuers should provide all information that would be material to an investor’s investment decision, including material information about E&S issues”.[vi]

New Proposed Cybersecurity Reporting Obligations in the US

In the United States, the US Securities and Exchange Commission (SEC) currently has only published guidance on cybersecurity obligations.[vii] However, in March 2022, the SEC proposed new cybersecurity-specific rules that, if implemented, will impose significant new disclosure obligations, including requirements to provide disclosure about material cybersecurity incidents, risk management, strategy and governance.[viii] The comment period on the SEC’s proposed new rule has closed. The SEC has not yet confirmed what changes will be made to the proposed rules or when any new rules will take effect.

“Material” Incidents

Under the proposed new rules, issuers would be required to report “material” cybersecurity incidents within four business days of determining the incident is material. An incident would be material if “there is a substantial likelihood that a reasonable shareholder would consider [the incident] important” in making an investment decision, or where the incident would have “significantly altered the ‘total mix’ of information made available” to the investor. Doubts as to the materiality of information should “be resolved in favour of…investors”. The company’s determination of materiality would need to occur as soon as reasonably practicable, and the fact of an ongoing investigation would not be grounds to delay reporting.

If the cybersecurity incident is reportable, companies would be required to disclose specific information including: (i) when the incident was discovered and whether it is ongoing; (ii) a brief description of the nature and scope of the incident; (iii) whether any data was stolen, altered, accessed or used for an unauthorized purpose; (iv) the effect of the incident on the company’s operations; and (v) whether the company has remediated or is remediating the incident. Companies would also be required to disclose in their periodic reports any material changes, additions or updates to information previously reported about a material cybersecurity incident.

Incidents That Are Material in the Aggregate

The proposed new rules would impose new obligations on issuers to analyze cybersecurity incidents in the aggregate, and disclose incidents that while individually immaterial and thus not reportable on their own, have become “material” in the aggregate.

Cybersecurity Risk Management and Strategy

The proposed new rules would further require issuers to make periodic disclosures about their cybersecurity risk management and strategy, including: the issuer’s policies and procedures to identify and manage cybersecurity risks; management’s role in assessing and managing cybersecurity risks and implementing the issuer’s cybersecurity policies, procedures and strategies; management’s relevant expertise in cybersecurity; and the board of directors’ oversight of the company’s cybersecurity risk.[ix]

Trends in Cyber-Related Securities Class Actions

Cyber-related securities litigation is a developing area of class actions in the United States. The core allegation in these claims is that a company or its directors and officers allegedly made false or misleading representations about the company’s cybersecurity posture (e.g., compliance with privacy laws and regulations or not disclosing regulatory investigations) or a cybersecurity incident (e.g., downplaying or not disclosing an incident), and are therefore liable to shareholders for any decline in the company’s share price that occurs after a cybersecurity issue becomes public.

So far, plaintiffs have had a mixed bag of success and face significant challenges in such claims, although several recent decisions may indicate a trend that such claims will survive beyond preliminary motions to strike. For example, In re Equifax Inc. Securities Litigation survived a motion to dismiss, in part, and was later settled for $149 million.[x] Alphabet Inc. v. Rhode Island also survived a motion to dismiss (with the US Supreme court declining leave to appeal in March 2022) and involved a claim for misleading and inadequate risk disclosure regarding cybersecurity threats, some of which were realized risks.[xi] In re K12 Inc. Securities Litigation was dismissed because most of the alleged misrepresentations about the company’s ability to provide virtual learning services were statements that would not be relied on by investors.[xii] All but one claim for misleading cybersecurity disclosure was dismissed in In re Zoom Securities Litigation because of a failure to demonstrate fraudulent intent (which is not a requirement in Canadian securities class actions). The surviving alleged misstatement that the company maintained robust data security capabilities survived as a result of the CEO’s statement that the company had “fallen short…of privacy and security expectations”.[xiii] In re 360 DigiTech, Inc. Securities Litigation was dismissed, including because the company’s statements about its regulatory compliance adequately disclosed the evolving Chinese regulatory landscape and attendant risks.[xiv]

Notwithstanding the challenges plaintiffs face, cyber-related securities fraud claim continue to be filed and remain an emerging risk for issuers. If the SEC’s new rules are implemented, companies’ increased disclosure obligations may provide more fodder for class action plaintiffs and counsel.

In Canada, proposed class actions relating to cyber attacks have so far primarily been focused on individuals whose information may have been affected by a cybersecurity incident, not securities class actions. However, a developing body of Canadian law is making it increasingly difficult for plaintiffs to prosecute these claims, especially where the defendant is the victim of a third party hack and there is no evidence any proposed class member has actually suffered any harm.[xv] Given these developments, we anticipate that Canadian plaintiff’s counsel will follow the trend in the United States and commence securities-related class actions on behalf of investors on the basis of inadequate cybersecurity disclosures and seek damages based on share price drops.

Looking Ahead

Trends in the United States are often a harbinger of what may be coming to Canada. Given the heightened risk of, and enterprise impacts from, a cyber attack, issuers should anticipate that Canadian securities regulators are either already, or will soon be, considering increasing their regulatory reach over issuers’ cybersecurity and disclosure obligations, and Canada may begin to see cyber-related securities class actions. Both of these developments will bring more scrutiny to issuers’ cybersecurity risk management practices and disclosures.

Looking ahead to 2023 and beyond, Canadian public companies should continue to make cybersecurity risk management a priority when assessing compliance with securities laws. Boards of directors should also continue to anticipate increasing responsibility for and oversight of cybersecurity matters, and ensure they are up to date on their legal obligations and the company’s cybersecurity posture and procedures.

 

[i] National Instrument 51-102 - Continuous Disclosure Obligations.

[ii] National Instrument 31-103 - Registration Requirements, Exemptions and Ongoing Registrant Obligations.

[iii] CSA Staff Notice 51-347- Disclosure of Cyber Security Risks and Incidents, (January 19, 2017) and CSA Staff Notice 33-321- Cyber Security and Social Media, (October 19, 2017). The CSA specifically directs Canadian public companies to consider the factors identified by the International Organization of Securities Commissions in its report Cyber Security in Securities Markets- An International Perspective in assessing disclosure obligations.

[iv] CSA Staff Notice 33-321- Cyber Security and Social Media, (October 19, 2017).

[v] TSX Inc. and CPA Canada, A Primer for Environmental and Social Disclosure, (August 2020) at p. 5.

[vi] TSX Inc. and CPA Canada, A Primer for Environmental and Social Disclosure, (August 2020) at p. 7.

[vii] Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosure, (February 26, 2018).

[viii] Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, (March 9, 2022).

[ix] Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, (March 9, 2022) at pp. 37-39.

[x] In re Equifax Inc. Securities Litigation, Stipulation and Agreement of Settlement, Case 1:17-cv-03463-TWT Document 159-2, (Filed February 13, 2020).

[xi] Alphabet Inc. v. Rhode Island, 142 S.Ct. 1227.

[xii] Boykin v. K12, Inc., No. 21-2351.

[xiii] In re Zoom Securities Litigation, No. 20-cv-02353-JD.

[xiv]In re 360 DigiTech Sec. Litig., 21 Civ. 6013 (AKH).

[xv] See, for example: Owsianik v. Equifax Canada Co., 2021 ONSC 4112; Lamoureux Investment Industry Regulatory Organization of Canada (IIROC), 2021 QCCS 1093; Setoguchi v. Uber B.V., 2021 ABQB 18, appeal dismissed 2023 ABCA 45; Kaplan v. Casino Rama Services Inc, 2018 ONSC 3545.

Authors