In light of the growing risk of cyberattacks on issuers, registrants and regulated entities (Market Participants), the Canadian Securities Administrators (CSA) recently published CSA Staff Notice 11-332 Cyber Security (Staff Notice) providing guidance to Market Participants on the subject.
Cybersecurity a Priority Area for the CSA
The Staff Notice identifies cybersecurity as a priority for the CSA, and states that the CSA has a central role to play in “assessing and promoting readiness and cyber resilience” of Market Participants. To this point, enhancing cybersecurity is identified as a key initiative to facilitate fair and efficient markets and the reduction of risks to market integrity under the CSA’s 2016-2019 Business Plan (Business Plan). This Business Plan includes tasks related to improving collaboration and communication on cybersecurity issues with Market Participants and improving Market Participants’ understanding of the CSA’s cybersecurity activities, to which the Staff Notice speaks.
Previous CSA Notice on Cybersecurity
The CSA previously released guidance concerning cybersecurity in 2013 with Staff Notice 11-326 Cyber Security (2013 Notice). The 2013 Notice provided general recommendations for the steps that Market Participants can take to manage cyber threats. These recommended steps were to:
- educate staff on the importance of cybersecurity and their role of ensuring such security;
- follow industry best practices in regards to cybersecurity; and
- conduct regular third party vulnerability and security tests and assessments against the Market Participants’ systems.
In addition to these steps, Market Participants were advised by the 2013 Notice to review their cybersecurity measures on a regular basis.
The 2013 Notice also provided specific recommendations for the different types of Market Participants. Issuers were advised to evaluate whether they are at risk for cybercrime, the specific types of cybercrime for which they might be at risk, any controls they have in place to address these risks, and whether any of this information needs to be disclosed in their public filings. Registrants were advised to consider whether their risk management systems allow them to manage the risks of cybercrime in line with prudent business practices. Regulated entities were advised to consider measures necessary to manage the risks of cybercrime.
2016 Staff Notice
The Staff Notice expands on the breadth of subject matter contained in the 2013 Notice, and, in line with steps of the Business Plan, provides more information on how Market Participants might implement the recommended cybersecurity protections. Specifically, the Staff Notice discusses CSA cybersecurity initiatives, appropriate cybersecurity standards for Market Participants, and the expected cybersecurity expectations of Market Participants.
Informing Stakeholders of CSA Cybersecurity Initiatives
The Staff Notice sets out initiatives that members of the CSA have been pursuing to provide more information regarding its cybersecurity initiatives to the different types of Market Participants.
For issuers, some members of the CSA have been reviewing the disclosure of cyber risks by issuers in light of the guidance provided in the 2013 Notice. These reviews have focused on disclosure related to risk factors, legal proceedings and corporate governance. The results of these reviews have shown that many issuers did not disclose any cyber risks or made only non-specific, boilerplate disclosure. The CSA will continue these examinations, specifically with larger issuers, in the near future.
For registrants, these initiatives include ongoing discussions with registrants concerning cybersecurity policies and procedures, and, for some CSA members, gathering data from registrants via a risk assessment questionnaire.
Certain regulated entities already perform independence system reviews (ISRs) which include a cybersecurity component. In addition to this initiative, the CSA has been gathering information on how regulated entities are positioned to manage and mitigate cybersecurity risks.
The CSA intends to hold roundtable discussions in the future to:
- promote an open dialogue with cybersecurity experts and Market Participants;
- discuss relevant developments related to cyber risks and how to address those risks;
- develop opportunities for greater collaboration and improved communication on issues of common concern relating to cybersecurity; and
- discuss coordination in the event of a cybersecurity incident.
Appropriate Cybersecurity Standards
The Staff Notice provides a list (and relevant links) to a body of cybersecurity related material, including standards, guidelines, best practices, and other relevant material from the following organizations: the International Organization of Securities Commissions (IOSCO), the Investment Industry Regulatory Organization of Canada (IIROC), the Securities and Exchange Commission (SEC), the Securities Industry and Financial Markets Association (SIFMA), the Mutual Fund Dealers Association of Canada (MFDA), the Financial Industry Regulatory Authority (FINRA), the National Institute for Standards and Technology (NIST) and the Office of the Superintendent of Financial Institutions (OSFI). Broadly speaking, these materials provide guidance on the following cybersecurity topics: governance, risk awareness, mitigation, detection, protection, response, recovery, insurance and information sharing.
This body of material, as summarized by the Staff Notice, provides the following high level recommendations for Market Participants:
- manage cybersecurity at an organizational level while placing responsibility for governance and accountability at the executive and board levels;
- organize cybersecurity activities into high level groups: Identify, Protect, Detect, Respond, and Recover;
- establish and maintain a cybersecurity awareness program for staff;
- understand the business drivers and security considerations specific to how the Market Participant uses technology, systems and networks;
- understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;
- manage cybersecurity risk exposures arising from use of third-party vendors;
- consider methodology to protect individual privacy as well as any obligations to report cybersecurity breaches to a regulatory authority;
- consider whether to share information about cyber incidents with other Market Participants;
- communicate, collaborate and coordinate with other entities;
- establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and
- treat cybersecurity programs as living documents that will continue to be updated and improved on an ongoing basis.
Cybersecurity Expectations of Market Participants
The Staff Notice concludes with specific steps each type of Market Participant should conduct to protect itself against cyber threats.
Issuers, who have determined that a cyber risk is a material risk, should provide risk disclosure that is detailed and as specific as possible. In any cyber risk management planning, issuers should also consider how the materiality of a cyberattack is assessed — an assessment that should take into account company operations, reputation, and stakeholders — and how this materiality affects the type of disclosure regarding the attack provided by the issuer.
Registrants should continue developing, implementing and updating their approach to cybersecurity risk management, including reviewing and following cybersecurity guidance issued by self-regulatory organizations such as IIROC and MFDA.
Finally, regulated entities should continue their compliance with applicable cybersecurity requirements found in securities legislation and terms and conditions of recognition, registration or exemption orders, including having internal controls and obligations to report security breaches. Regulated entities are also expected to adopt a cybersecurity framework, provided by a regulatory authority or standard setting body, that is appropriate for the regulated entities’ size and scale.