Cybersecurity is top of mind for corporate boards and securities regulators alike.
On September 27, 2016, the Canadian Securities Administrators (“CSA“) issued CSA Staff Notice 11-332 – Cyber Security (the “2016 Notice”). The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security (the “2013 Notice”) for reporting issuers, registrants and regulated entities.
As the CSA acknowledges, since the 2013 Notice was published, the cybersecurity landscape has evolved considerably, as cyber attacks have become more frequent, complex and costly. Citing two recent studies by PriceWaterhouseCoopers and Ponemon, the CSA noted in the 2016 Notice that:
- In 2015, 38% more cyber security incidents were detected than in 2014; and
- The average total cost of a data breach for the companies participating in the 2016 Ponemon survey stood at USD$4 million.
Summary of CSA Cybersecurity Initiatives
In the 2016 Notice, the CSA first provides a summary of its recent initiatives to monitor and address cyber security risks in order to improve overall resilience in our markets.
For example, noting the failure of many issuers to fully disclose their exposure to cyber risks, the 2016 Notice states that CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months and, where appropriate, will contact issuers to get a better understanding of their assessment of the materiality of cyber security risks and cyber attacks.
Second, the 2016 Notice notes that some CSA members are gathering data about registrants’ cyber security practices pursuant to a risk assessment questionnaire that was sent to a large number of registered firms in May 2016. A more targeted desk review is planned for the remainder of 2016, which will assess in more detail the areas discussed in regular compliance reviews.
Third, the CSA notes current initiatives on enhancing cross-border information sharing among regulators related to cyber security.
The 2016 Notice also provides links and references to a number of particularly helpful cyber security resources that have been published by various financial services regulatory authorities and standard-setting bodies in an effort to improve the preparedness of market participants to deal with cyber incidents. Such resources include:
- IIROC Cybersecurity Best Practices Guide
- IIROC Cyber Incident Management Planning Guide
- Securities and Exchange Commission (SEC) Division of Corporation Finance Disclosure Guidance
- The National Institute for Standards and Technology (NIST) Cybersecurity Framework
- The Office of the Superintendent of Financial Institutions (OSFI) Cyber Security Self-Assessment Guidance
As summarized in the 2016 Notice, these publications highlight the need for an organization to:
- manage cyber security at an organizational level with responsibility for governance and accountability at executive and board levels;
- organize its cyber security activities at a high level: Identify, Protect, Detect, Respond, and Recover;
- establish and maintain a robust cyber security awareness program for staff;
- formulate a clear understanding of the business drivers and security considerations specific to its use of technology, systems and networks;
- understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;
- manage cyber security risk exposures that arise from using third-party vendors for services;
- consider methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority;
- consider whether to share information about cyber incidents with Market Participants;
- communicate, collaborate and coordinate with other entities;
- establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and
- treat cyber security programs as living documents that will continue to be updated and improved on an ongoing basis.
Finally, the 2016 Notice sets out the CSA’s expectations for market participants on a going-forward basis. In particular:
- Reporting Issuers: To the extent that an issuer has determined that cyber risk is a material risk, CSA members expect that issuers should:
- provide risk disclosure that is as detailed and entity specific as possible;
- address in any cyber-attack remediation plan how the materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack; and
- consider the impact on the issuer’s operations and reputation, its customers, employees and investors.
- Registrants: CSA members expect that registrants continue to remain vigilant in developing, implementing and updating their approach to cyber security hygiene and management. Dealers should review and follow guidance issued by self-regulatory organizations such as IIROC and the MFDA.
- Regulated entities: CSA members expect that regulated entities examine and review their compliance with ongoing requirements outlined in securities legislation and terms and conditions of recognition, registration or exemption orders, which include the need to have internal controls over their systems and to report security breaches. The CSA members also expect regulated entities to adopt a cyber security framework provided by a regulatory authority or standard-setting body that is appropriate to their size and scale.