In light of the growing risk of cyberattacks on issuers, registrants and regulated entities (Market Participants), the Canadian Securities Administrators (CSA) recently published CSA Staff Notice 11-332 Cyber Security (Staff Notice) providing guidance to Market Participants on the subject.
Cybersecurity a Priority Area for the CSA
The Staff Notice identifies cybersecurity as a priority for the CSA, and states that the CSA has a central role to play in “assessing and promoting readiness and cyber resilience” of Market Participants. To this point, enhancing cybersecurity is identified as a key initiative to facilitate fair and efficient markets and the reduction of risks to market integrity under the CSA’s 2016-2019 Business Plan (Business Plan). This Business Plan includes tasks related to improving collaboration and communication on cybersecurity issues with Market Participants and improving Market Participants’ understanding of the CSA’s cybersecurity activities, to which the Staff Notice speaks.
Previous CSA Notice on Cybersecurity
The CSA previously released guidance concerning cybersecurity in 2013 with Staff Notice 11-326 Cyber Security (2013 Notice). The 2013 Notice provided general recommendations for the steps that Market Participants can take to manage cyber threats. These recommended steps were to:
- educate staff on the importance of cybersecurity and their role of ensuring such security;
- follow industry best practices in regards to cybersecurity; and
- conduct regular third party vulnerability and security tests and assessments against the Market Participants’ systems.
In addition to these steps, Market Participants were advised by the 2013 Notice to review their cybersecurity measures on a regular basis.