The Canadian Securities Administrators (CSA) has published Staff Notice 11-332 on cybersecurity, building
on Staff Notice 11-326 which was issued in 2013.
The latest notice informs issuers, registrants and marketplaces of
CSA's existing initiatives, lists existing cybersecurity
standards from a variety of sources and sets general cybersecurity
expectations. The notice reminds market participants that
"with advancing technology, cyber adversaries are becoming
more sophisticated and the potential for damage is ever
increasing." Along with recent high-profile hacking incidents,
these trends are generating regulatory responses globally. The CSA
has made cybersecurity a priority in its 2016-2019 business plan.
The main points from the staff notice are set out below.
Issuers' cybersecurity disclosures will be scrutinized more
heavily through the continuous disclosure review process. Issuers
are expected to provide risk disclosure that is as detailed and
entity-specific as possible.
Members of the CSA will review the cybersecurity disclosure of
larger issuers in the coming months and may contact some of those
issuers to discuss how they assessed the materiality of
cybersecurity risks and attacks. The CSA will publish this review,
and resulting recommendations.
Furthermore, in their cyber-attack remediation plans, issuers
should address the threshold for public disclosure, taking into
account the impact on the issuer's operations, reputation,
customers, employees and investors.
Registrants' cybersecurity risks are generally discussed
with CSA staff as part of the registrant's compliance review
and some CSA members are gathering data on registrant cybersecurity
practices. The discussions focus on cybersecurity programs,
safeguards and controls, use of encryption, risks related to
third-party vendors, employee training, incident report plans and
electronic fund transactions. The CSA is planning a more detailed
desk review to assess the topics discussed in regular compliance
Registered firms are expected to continue to review and follow
guidance issued by IIROC, the MFDA or other relevant
Regulated entities (i.e., marketplaces, clearing agencies,
trade repositories and information processors) should continue to
perform independent system reviews, which have had a specific focus
on cybersecurity since 2013.
Regulated entities are expected to examine their compliance
with existing requirements under securities laws, including the
terms and conditions of their recognition, registration or
exemption orders, and they are also expected to adopt an
established cybersecurity framework.
The CSA has started gathering information on regulated
entities' cybersecurity frameworks to manage and reduce
cybersecurity risks. One CSA member went further and examined the
interconnections, interdependencies and signal points of failure to
understand the health of the system and the potential impact of a
Related Regulatory Initiatives
Members of the International Organization of Securities
Commissions (IOSCO) are increasing their efforts to share
information and cooperate in investigations, including the use of
the IOSCO Multilateral Memorandum of Understanding to investigate
cyber-related marked manipulation and misconduct.
The CSA will hold roundtable sessions in the next few months to
discuss risks, issues and regulatory expectations. Details on the
roundtables are forthcoming.
The staff notice contains links to various cybersecurity
resources, including the following:
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).