Cyber security has been identified as a priority area in the Canadian Securities Administrators (“CSA”) 2016‑2019 Business Plan as well as by some CSA members. Accordingly, the CSA is working to promote cyber security awareness and resilience. More specifically, the CSA is working to:
- assess the level of issuers, registrants and regulated entities (collectively, “Market Participants”) cyber security resilience, including measures for protection of personal investor data
- improve collaboration and communication on cyber security issues with Market Participants; and
- improve Market Participants’ understanding of CSA members’ cyber security oversight activities, including providing guidance on expectations for Market Participants’ cyber security preparedness.
In connection with this effort to promote awareness and resilience, the CSA recently published a notice on cyber security (CSA Staff Notice 11-332 – Cyber Security) in order to:
- highlight the importance of cyber risks for Market Participants;
- inform stakeholders about recent and upcoming CSA initiatives;
- reference existing standards and work published, including work published by the Investment Industry Regulatory Organization of Canada (“IIROC”), the Mutual Fund Dealers Association of Canada (“MFDA”) and international regulatory authorities and standard-setting bodies;
- communicate general expectations for Market Participants with respect to their cyber security frameworks; and
- examine ways to coordinate communication and information sharing between regulators and Market Participants.
Issuers. CSA members intend to re‑examine the disclosure of some of the larger issuers in the coming months and, where appropriate, will contact issuers to get a better understanding of their assessment of the materiality of cyber security risks and cyber‑attacks. In general, to the extent that an issuer has determined that cyber risk is a material risk, CSA members expect issuers to provide risk disclosure that is as detailed and entity specific as possible. Furthermore, issuers should address in any cyber‑attack remediation plan how materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack. In the assessment, issuers should consider the impact on the company’s operations and reputation, its customers, employees and investors.
Registrants. CSA staff discusses cyber security policies and procedures with registered firms as part of their regular compliance reviews. Areas of focus include:
- firms’ cyber security risk assessment and information security governance programs;
- firms’ IT safeguards and controls;
- use of encryption;
- risks related to third‑party service providers;
- vulnerability tests and compliance monitoring;
- evidence of regular employee training and awareness;
- incident response plans; and
- practices for accepting client instructions to withdraw or transfer funds via electronic means.
CSA members expect that registrants will remain vigilant in developing, implementing and updating their approach to cyber security management and should review and follow guidance issued by self‑regulatory organizations such as IIROC and the MFDA.
Regulated Entities. The independent system review (“ISR”) that marketplaces, clearing agencies and information processors must perform has always had a cyber security component. However, since 2013, the ISRs for all regulated entities have contained a specific focus on cyber security. CSA members expect that regulated entities examine and review their compliance with ongoing requirements outlined in securities legislation and in the terms and conditions of recognition, registration or exemption orders, which include the need to have internal controls over their systems and to report security breaches. The CSA also expects regulated entities to adopt a cyber security framework provided by a regulatory authority or standard‑setting body that is appropriate to their size and scale.
International Activities. The focus of current initiatives is on enhancing cross‑border information sharing among regulators related to cyber security, including use of the IOSCO Multilateral Memorandum of Understanding (“MMoU”) to investigate cyber‑related market manipulation and misconduct.
There is no standardized approach to cyber security and organizations should establish and view their cyber security frameworks in light of their particular circumstances. Some common themes which arise in the publications addressing cyber security include the need for an organization to:
- manage cyber security at an organizational level with responsibility for governance and accountability at executive and board levels;
- organize its cyber security activities at a high level;
- establish and maintain a robust cyber security awareness program for staff;
- formulate a clear understanding of the business drivers and security considerations specific to its use of technology, systems and networks;
- understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;
- manage cyber security risk exposures that arise from using third‑party vendors for services;
- consider methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority;
- consider whether to share information about cyber incidents with Market Participants;
- communicate, collaborate and coordinate with other entities;
- establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and
- treat cyber security programs as living documents that will continue to be updated and improved on an ongoing basis.
As cyber threats become more prevalent, authorities globally will be implementing various policy responses to encourage Market Participants to improve their cyber defences. Taking pro‑active measures will ensure that Market Participants are ahead of the curve and better protected.
The foregoing is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, please contact the author who would be pleased to discuss the issues above with you, in the context of your particular circumstances.