ThinkTWENTY20

What are Canadian organizations sharing about cybersecurity risk and oversight? CPA Canada and EY Canada recently joined forces to find out. In a release of preliminary results, a major finding was that almost all organizations surveyed in Canada disclose cybersecurity risks but fewer than 50% of them share information on how they are responding to those risks.

CPA Canada and EY built their common endeavor based on The 2019 EY CEO Imperative Study, which revealed that investors and boards expect CEOs to respond to humanity’s greatest challenges, and cybersecurity is one of them, not only at the corporate level but at the national one.

That study reported that, in its 14th edition of The Global Risks Report, released early in 2019, the World Economic Forum cited four significant technological challenges for  humanity:

 •  Cyberattacks.

•  Data fraud or theft.

•  Critical information infrastructure breakdown. 

•  Adverse consequences of technological  advances.

The study also cited Canada’s National  Cybersecurity Strategy, released in 2018 by the federal government through the Ministry of Public Safety and Emergency. This document recognized how pervasive information technology is, and how it not only enhances quality of life but also creates risks for organizations. As part of the initiatives triggered the release of the National Cybersecurity Strategy, the Canadian Centre for Cybersecurity was established. 

The EY report pointed out that several high-profile cases of cyber breaches have attracted widespread media attention, “proving just how damaging cyberattacks can be.” 

Given the potential consequences of a cyber breach, EY and CPA Canada decided to join forces to analyze Canadian cybersecurity reporting practices. This initiative complements the EY US Center for Board Matters initiatives that began in 2018 to explore what US public companies are sharing about cybersecurity risk and oversight.

The current joint study analyzed a sample of 60 TSX-listed companies to understand the nature and extent of cybersecurity-related disclosures in regulatory filings (such as the annual information form, financial statements, management circular, management discussion and analysis and material change report).

The full report will be issued in early 2020. Until then, some initial findings include:

• Almost all organizations surveyed disclose cybersecurity risks.

• More than 50% of organizations have a committee overseeing the cybersecurity function.

• Fewer than 50% of organizations share information on how they are responding to cybersecurity risks.

• More than 50% of organizations recognize data privacy compliance as another significant risk.

CPA Canada and EY “expect the final report will provide a clearer picture of what public organizations in Canada communicate around cybersecurity.” The current initial report can be found at https://www.ey.com/en_us/board-matters/what-companies-are-sharing-about-cybersecurity-risk-and-oversight.