The results of the Canadian Securities Administrators' (CSA) February 27, 2017 roundtable on cyber security issues were published in a Staff Notice on April 6, 2017. Primarily analyzing the importance of cooperation, coordination and information sharing with regards to incident response, the Staff Notice follows this year's publication of CSA Multilateral Staff Notice 51-347, which focused on cyber security risk disclosure, and is in line with CSA Staff Notice 11-332 Cyber Security (Notice 11-332), which reiterated that cyber security is one of CSA's top priorities.
Participants at the roundtable included various Canadian securities market stakeholders – including marketplaces, clearing agencies, registrants, reporting issuers, regulatory authorities and cyber security experts – and focused on two hypothetical cyber security scenarios designed to assess how they would respond in the event of a large-scale cyber security incident in order to gain a better understanding of the respective roles of entities and regulators in case of a cyber-attack. Keeping in mind the potentially have far-reaching implications of cyber-attacks that go well beyond the immediate organizations that are affected, the participants concluded that cooperation, coordination and information sharing were crucial in responding to a cyber incident.
More specifically, the discussions focused on five issues:
- the response of an entity subject to a cyber security incidents
- the response of entities both downstream and upstream from the affected entity;
- people and organizations who should be involved in discussions and decision making for a coordinated response to a market-wide incident;
- information that should be communicated internally and externally; and
- factors that may contribute to coordination, communication and collaboration.
While discussing these matters, the participants considered the importance of putting in place a carefully thought and easily understandable incident response plans (IRP) that encompasses the needs of multiple stakeholders, including those indirectly affected by a cyber incident. In discussing IRPs, the participants determined that while IRPs are generally detailed and complete with respect to internal procedures, they often fail to address coordination and information sharing with other stakeholders. According to the participants, reliance on existing organizations that provide intelligence analysis and information sharing services (such as Public Safety Canada's Canadian Cyber Incident Response Centre, the RCMP, provincial law enforcement authorities, the Financial Information Sharing and Analysis Center, etc.) as well as on informal peer-to-peer communications channels is generally effective, but more formal communication channels, particularly in the context of a market-wide cyber security incident, may contribute to improved response and recovery. Therefore, the participants acknowledged the need to test and update IRPs. For more on the topic of IRPs, see our previous articles here and here.
As indicated in Notice 11-332, cyber security continues to be one of CSA's priorities through 2019. As such, CSA members expect that regulated entities continue to comply with ongoing requirements outlined in securities legislation, which include the need to have internal controls over their systems and to report security breaches, as we discussed earlier this year.