The Canadian Securities Administrators (CSA) has published Staff Notice 11-332 on cybersecurity, building on Staff Notice 11-326 which was issued in 2013. The latest notice informs issuers, registrants and marketplaces of CSA's existing initiatives, lists existing cybersecurity standards from a variety of sources and sets general cybersecurity expectations. The notice reminds market participants that "with advancing technology, cyber adversaries are becoming more sophisticated and the potential for damage is ever increasing." Along with recent high-profile hacking incidents, these trends are generating regulatory responses globally. The CSA has made cybersecurity a priority in its 2016-2019 business plan. The main points from the staff notice are set out below.

Public Companies

  • Issuers' cybersecurity disclosures will be scrutinized more heavily through the continuous disclosure review process. Issuers are expected to provide risk disclosure that is as detailed and entity-specific as possible.
  • Members of the CSA will review the cybersecurity disclosure of larger issuers in the coming months and may contact some of those issuers to discuss how they assessed the materiality of cybersecurity risks and attacks. The CSA will publish this review, and resulting recommendations.
  • Furthermore, in their cyber-attack remediation plans, issuers should address the threshold for public disclosure, taking into account the impact on the issuer's operations, reputation, customers, employees and investors.

Registrants

  • Registrants' cybersecurity risks are generally discussed with CSA staff as part of the registrant's compliance review and some CSA members are gathering data on registrant cybersecurity practices. The discussions focus on cybersecurity programs, safeguards and controls, use of encryption, risks related to third-party vendors, employee training, incident report plans and electronic fund transactions. The CSA is planning a more detailed desk review to assess the topics discussed in regular compliance reviews.
  • Registered firms are expected to continue to review and follow guidance issued by IIROC, the MFDA or other relevant self-regulatory body.

Regulated Entities

  • Regulated entities (i.e., marketplaces, clearing agencies, trade repositories and information processors) should continue to perform independent system reviews, which have had a specific focus on cybersecurity since 2013.
  • Regulated entities are expected to examine their compliance with existing requirements under securities laws, including the terms and conditions of their recognition, registration or exemption orders, and they are also expected to adopt an established cybersecurity framework.
  • The CSA has started gathering information on regulated entities' cybersecurity frameworks to manage and reduce cybersecurity risks. One CSA member went further and examined the interconnections, interdependencies and signal points of failure to understand the health of the system and the potential impact of a directed attack.

Related Regulatory Initiatives

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.