The Canadian Securities Administrators (CSA) have published a
new staff notice to promote cybersecurity awareness, preparedness
and resilience in Canadian capital markets and to encourage better
disclosure by issuers.
The CSA first published a notice on cybersecurity in 2013,
reminding issuers and registrants of the importance of putting into
place strong security measures to safeguard themselves and their
clients. Issuers were also advised to consider whether and to what
extent cybercrime risks, incidents and controls to address such
risks should be disclosed in a prospectus or a continuous
In its new notice, the CSA advises that it considers
cybersecurity a priority and expects issuers and registrants to
take steps to protect themselves against cyber threats.
The securities regulators will be re-examining issuer disclosure
related to cybersecurity in the coming months. As issuers begin to
turn their minds to the upcoming annual reporting season, they
should assess the cybersecurity risks they face and consider the
type and level of disclosure, if any, to include in their MD&A
and annual information forms. To the extent that they consider the
risk material, issuers should avoid boilerplate and provide cyber
risk disclosure that is as detailed and company specific as
possible. Issuers should also consider the threshold required to
determine that a cyberattack is material and should be disclosed,
taking into consideration the impact on its operations, reputation,
customers, employees and investors.
In respect of registrants, the CSA advises that it has been
gathering data about the cybersecurity practices in place and will
continue to discuss cybersecurity policies and procedures with
registered firms as part of compliance reviews. Registrants are
expected to remain "vigilant," regularly review their
cybersecurity risk control measures and update their procedures in
accordance with industry best practices.
Part of cybersecurity preparedness for both issuers and
registrants includes continually reviewing guidance and best
practices from industry associations and tailoring a program to
meet the organization's specific needs. The new CSA notice
includes links to a number of reference documents that may be
useful to issuers and registrants.
The September 2016 CSA Staff Notice 11-332 can be accessed here.
The September 2013 CSA Staff Notice 11-326 can be accessed here.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the
world's preeminent corporations and financial institutions with
a full business law service. We have 3800 lawyers and other legal
staff based in more than 50 cities across Europe, the United
States, Canada, Latin America, Asia, Australia, Africa, the Middle
East and Central Asia.
Recognized for our industry focus, we are strong across all the
key industry sectors: financial institutions; energy;
infrastructure, mining and commodities; transport; technology and
innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global
business principles of quality, unity and integrity. We aim to
provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).