The Canadian Securities Administrators (CSA) has published Staff Notice 11-332 on cybersecurity, building
on Staff Notice 11-326 which was issued in 2013.
The latest notice informs issuers, registrants and marketplaces of
CSA's existing initiatives, lists existing cybersecurity
standards from a variety of sources and sets general cybersecurity
expectations. The notice reminds market participants that
"with advancing technology, cyber adversaries are becoming
more sophisticated and the potential for damage is ever
increasing." Along with recent high-profile hacking incidents,
these trends are generating regulatory responses globally. The CSA
has made cybersecurity a priority in its 2016-2019 business plan.
The main points from the staff notice are set out below.
disclosures will be scrutinized more heavily through the continuous
disclosure review process. Issuers are expected to provide risk
disclosure that is as detailed and entity-specific as
Members of the CSA will review the
cybersecurity disclosure of larger issuers in the coming months and
may contact some of those issuers to discuss how they assessed the
materiality of cybersecurity risks and attacks. The CSA will
publish this review, and resulting recommendations.
Furthermore, in their cyber-attack
remediation plans, issuers should address the threshold for public
disclosure, taking into account the impact on the issuer's
operations, reputation, customers, employees and investors.
Registrants' cybersecurity risks
are generally discussed with CSA staff as part of the
registrant's compliance review and some CSA members are
gathering data on registrant cybersecurity practices. The
discussions focus on cybersecurity programs, safeguards and
controls, use of encryption, risks related to third-party vendors,
employee training, incident report plans and electronic fund
transactions. The CSA is planning a more detailed desk review to
assess the topics discussed in regular compliance reviews.
Registered firms are expected to
continue to review and follow guidance issued by IIROC, the MFDA or
other relevant self-regulatory body.
Regulated entities (i.e.,
marketplaces, clearing agencies, trade repositories and information
processors) should continue to perform independent system reviews,
which have had a specific focus on cybersecurity since 2013.
Regulated entities are expected to
examine their compliance with existing requirements under
securities laws, including the terms and conditions of their
recognition, registration or exemption orders, and they are also
expected to adopt an established cybersecurity framework.
The CSA has started gathering
information on regulated entities' cybersecurity frameworks to
manage and reduce cybersecurity risks. One CSA member went further
and examined the interconnections, interdependencies and signal
points of failure to understand the health of the system and the
potential impact of a directed attack.
Related Regulatory Initiatives
Members of the International
Organization of Securities Commissions (IOSCO) are increasing their
efforts to share information and cooperate in investigations,
including the use of the IOSCO Multilateral Memorandum of
Understanding to investigate cyber-related marked manipulation and
The CSA will hold roundtable sessions
in the next few months to discuss risks, issues and regulatory
expectations. Details on the roundtables are forthcoming.
The staff notice contains links to
various cybersecurity resources, including the following:
Pursuant to several recent legislative amendments and enactments, Ontario corporations holding a legal or beneficial interest in real property in Ontario are now subject to more onerous record-keeping requirements.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).