Canada: Regulators Provide Specific Guidance To Registered Firms On The Content Of Cybersecurity And Social Media Policies

Fasken Martineau's Investment Products and Wealth Management team would like to inform you that the Canadian Securities Administrators (CSA) have issued specific guidance on the cybersecurity and social media policies and procedures to be adopted in CSA Staff Notice 33-321 Cyber Security and Social Media, published on October 19, 2017 (Notice 33-321). Click here to consult the Notice.

Guidance on the content of cybersecurity and social media policies and procedures to be adopted was issued following a survey by the CSA of 630 registered firms in which the CSA examined existing cybersecurity and social media policies and procedures related to employee training programs, cybersecurity risk assessment methods and frequency, cyber incident response plans, existing controls, methods of data protection, cybersecurity insurance coverage and supervision of employees' use of social media. 

Following the survey, the CSA developed guidance for all registered firms on the cybersecurity and social media policies and procedures to be adopted on each of these subjects. The policies and procedures must notably include preventative practices, a training plan for all staff and a response plan in case a cyber incident occurs. Registered firms should also periodically evaluate the adequacy of their cybersecurity practices, including safeguards against cyber incidents and should regularly test all existing safeguards and preventative practices.  Moreover, the CSA note that registered firms should check whether their existing insurance policies cover damages resulting from cyber incidents.

The guidance in Notice 33-321 is not an example of good practices that may be voluntarily adopted. Registered firms, including small companies and corporations that rely on the safeguards provided by their parent company or service providers, must adopt such practices.

According to the CSA, the information and guidance in Notice 33-321 form part of the obligation to manage risks associated with the registered firms' business under Regulation 31-103 respecting Registration Requirements, Exemptions and Ongoing Registrant Obligations. This issue may therefore be raised during a regulatory compliance review of any registered firm whose cybersecurity and social media policies and procedures fail to comply with CSA guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.