Israel Securities Authority: Cyber Event Requires Reporting
The Israel Securities Authority has published a staff position paper addressing public companies’ required disclosures for all cyber-related issues. This follows the increasing magnitude and scope of cyber threats, as well as growing concerns about disruptions to public companies’ operations.
Although the position paper does not prescribe new disclosure obligations, it does clarify the existing disclosure requirements imposed on both public companies and reporting corporations. Moreover, it reiterates that disclosures consistent with the ISA’s position paper are subject to the relevant tests of materiality.
Disclosure in a Prospectus and a Periodic Report
In the clause “discussion of risk factors” – Cyber risks are similar to any other risk factor. If a corporation is facing a material cyber risk that could potentially disrupt its operations, then it must include a disclosure about this risk in the clause on “discussion of risk factors.” Such disclosure must include descriptions of the risk, details about the company’s cyber-security policy, and specifics on the supervision over the policy’s implementation. It should also include reference to the company’s tests of the effectiveness of its cyber-security measures.
Factors When Analyzing the Materiality of Cyber Risks
A corporation should take into account the following factors when analyzing the materiality of its cyber risks:
- Previous cyber-attacks that occurred, including their severity and frequency.
- The likelihood of cyber-attacks materializing.
- The effectiveness of the corporation’s capabilities in preventing or minimizing its exposure to cyber risks.
- Business and operating aspects of the corporation’s activities that pose material cyber risks, and the potential costs and repercussions of these risks, including risks that are specific to its sphere of business and risks posed by service providers and other third parties with whom the corporation has interconnectivity.
- The resources involved in maintaining cyber-security protections, including the purchasing of cyber insurance coverage.
- Potential damage to assets, including intellectual property and reputational damages, as well as the severity of the potential damage to the corporation’s competitive advantages.
- Laws and regulations in effect or pending that may affect the corporation’s associated costs deriving from that regulation.
In the clause “event or matter outside of the corporation’s ordinary course of business” – If material cyber-attacks occurred during the reporting period, the corporation should consider including a brief description of these cyber-attacks. Alternatively, they should disclose them by referring to the immediate reports published by the corporation with a description of the cyber-attacks.
Depending upon the set of circumstances and facts, and according to the best of the corporation’s knowledge, the description should include details like the identity or type of cyber-attackers, the circumstances of the cyber-attack, and the number of cyber-attacks and the duration of each. Other details to include are if the corporation assesses whether or not the cyber-attack has ended; the volume and types of damage caused, including the indirect repercussions; the corporation’s assessment about whether it has detected all of the direct damages; and the corporation’s efforts to contend with the cyber-attack.
In addition, the description should include the conclusions drawn and the measures instituted to prevent any recurrence of this type of cyber-attack. Even if a corporation has not fallen prey to a single material cyber-attack, if it has had to contend with several cyber incidents that collectively are material, then it should consider issuing such a disclosure.
Disclosure in the Directors’ Report to the Shareholders
Insofar as a corporation believes its exposure to cyber risks has materially increased during a reporting period, in terms of gaining a general understanding of its business operations, or if one or more cyber-attacks occurred that had a material impact on one or more of the items in its financial statements (statement of financial position or operating results), then the directors’ report should contain explanations in this regard.
The directors’ explanations may be necessary even if no cyber incident occurred that had a direct impact on the corporation’s financial statements, but if details of cyber-related matters were described in the section “Description of the Corporation’s Businesses,” such as if the corporation purchased cyber insurance.
Disclosure in Immediate Reports
Upon the occurrence of a cyber-attack, a corporation should, inter alia, ascertain the materiality of the event as it pertains to compulsory reporting to the public. When ascertaining materiality, the corporation should analyze and evaluate all of the direct and indirect actual damages and potential damages.
Examples of Cyber-Related Incidents
Following are a few examples of cyber-related incidents that may require the publishing of an immediate report (not an exhaustive list):
- The corporation’s business operations were temporarily disrupted.
- The corporation’s databases were hacked in a way that is liable to directly or indirectly impact the corporation’s operations. If the database falls under privacy protection laws, the corporation must also issue an additional separate disclosure in this regard.
- The corporation’s main computerized system material to its operations has been damaged in a way that materially disrupts the corporation’s operations.
- The corporation received a demand to pay a ransom at a material sum during a cyber-attack.
- The corporation discovered that cyber-attackers hacked into its computerized systems (such as email accounts) and divulged business secrets, or the corporation detected a theft of personal business information that, if publicized, is liable to cause material damage to the corporation.
- A cyber-security breach was discovered in a product or system that the corporation manufactured or that is under its responsibility, which would result in the corporation facing material exposure (as a manufacturer, product supplier, etc.).
“Cyber risk” – the risk of a cyber-attack materializing.
“Cyber-security” – all operations required to prevent, contend with, and handle cyber-attacks, in order to minimize their impact and the damages they cause during and after, including information-security operations.
“Cyber-attack” – an attack designed to gain unauthorized access to or make unauthorized use of computer networks and systems to expose, alter, disable, destroy, steal, or corrupt the computerized material stored there.
***
Clarification: The above is a brief summary only. We recommend reading the full version of the ISA’s staff position paper in order to obtain complete information.
If you would like to discuss the above or require further information, please contact a member of our Capital Markets team.
Source: barlaw.co.il