Market watchdogs eye new rules on how companies disclose ‘material’ risks like climate change, cyber attacks

Canada’s securities regulators are considering new rules that would require companies to disclose more about how they identify and manage “material” risks from a variety of factors including climate change, cyber security, potential free trade barriers, and disruptive technology.

The Canadian Securities Administrators, an umbrella organization for the country’s 13 provincial and territorial capital markets watchdogs, identified the broad focus on risk governance and oversight on Thursday at the conclusion of a year-long project that looked at current climate change disclosure.

Regulators were considering whether current rules governing disclosure of risks and financial impacts associated with climate change are sufficient, and whether they allow investors to make informed voting and investment decisions.

“The research conducted and extensive feedback received during our consultation led us to believe that new disclosure requirements should be considered as part of corporate governance practices,” said Huston Loke, director of corporate finance at the Ontario Securities Commission. 

At the conclusion of the project, the regulators determined that their next steps should broaden the review of disclosure and governance to encompass hot-button risks such as cyber threats.

• Ottawa expected to give banks more leeway to invest in fintechs
• Market watchdogs pitch tougher rules for syndicated mortgages to protect investors
• OSFI putting Canadian banks on fast track for new capital rule

Bank of Canada senior deputy governor Carolyn Wilkins warned late last month that the threat of cyber attacks is a growing concern, particularly given the rapid pace of financial innovation and the interconnectedness of a rapidly evolving financial ecosystem.

“Risk is constantly shifting,” she said.

On the regulatory front, stepping up scrutiny of cyber threats is already on the agenda of the investment industry’s self-regulatory agency. The Investment Industry Regulatory Organization of Canada recently told all dealers who are members that they are expected to “promptly report… the occurrence of any cybersecurity incident” to the regulator.

The measure is a stop-gap as IIROC prepares to propose amendments to rules that require mandatory reporting of only “certain” cybersecurity incidents.

“Prompt reporting will enable us to help both the affected firm, and the rest of the industry, guard against attacks,” IIROC said. “It will also allow us to collect data that enables us to evaluate trends on cybersecurity.”