Is Cyber-Related Securities Litigation Coming To Canada?

• Jurisdiction: United States,Federal
• Law Firm: McCarthy Tétrault LLP
• Subject Matter: Corporate/Commercial Law, Litigation, Mediation & Arbitration, Technology, Class Actions, Securities, Security
• Author: Wendy Berman, Daniel Glover, Katherine Booth, Brittany Cerqua and Jessica Mank
• Published date: 25 April 2023

This article originally appeared in our Canadian Securities Litigation: Trends to Watch 2023 publication, which provides an in-depth overview of the most significant developments in the Canadian securities litigation landscape in 2022 and trends to watch for in 2023. Download the full publication here.

The prevalence and sophistication of cyber attacks is an emergent risk for public companies and other capital market participants. Cybersecurity incidents can have significant financial, operational, legal and reputational impacts. As a result, there is heightened scrutiny by stakeholders and regulators of cybersecurity-related disclosures, including disclosure of risk mitigation controls, strategy and governance and timely disclosure of cybersecurity incidents.

Even in the absence of more prescriptive regulatory requirements, stakeholders are increasingly challenging the adequacy of cybersecurity-related disclosures following a cybersecurity incident, both through class action litigation and complaints to regulators.

This growing trend in cybersecurity disclosure-related litigation has not yet reached Canada, but Canadian companies should be watching. Cybersecurity class action litigation in Canada has generally advanced liability theories based only on harm to individuals whose information was impacted, not harm to shareholders as a result of misleading or inaccurate cybersecurity-related disclosure. The landscape is different in the United States, where cybersecurity-related disclosure securities class actions are a developing area for plaintiff's counsel.

Enhanced cybersecurity disclosure requirements will increase the risk of litigation, including class actions and securities enforcement action. Although Canadian securities regulators have not proposed nor implemented any enhanced mandatory cybersecurity-related disclosure requirements for public companies or registrants, we anticipate that the cybersecurity disclosure requirements implemented or proposed in other jurisdictions may prompt Canadian developments.

In Canada, Regulatory Guidance but No Rules

Canadian public issuers are required to disclose material risks affecting their business (including the financial impacts of such risks, where practicable) as well as any material change in their business, operations or capital that would reasonably be expected to have a significant effect on the market price or value of any of the securities of the company.¹ Canadian registered advisors, dealers and investment fund managers are also required to establish a system of controls to ensure compliance with securities legislation and manage the risks associated with the business in accordance with prudent business practices.²

Any material cybersecurity risks or cybersecurity incidents must be disclosed under general disclosure requirements. However, Canadian securities regulators have not imposed enhanced mandatory disclosure about cybersecurity risk management, a company's cybersecurity posture or cyber attacks. To date, Canadian securities regulators have only published guidance which sets outs regulatory expectations for issuers' cybersecurity-related disclosures (published in 2017)³, including:

• risk governance and risk...