On September 27, 2016, the CSA published an updated cyber security notice (the Notice) for financial market participants. The Notice emphasizes that as the cyber security landscape has evolved and cyber attacks have become more frequent and complex, it is vital for market participants to adhere to guidance issued by self-regulatory organizations such as IIROC and the MFDA, and take meaningful steps to protect themselves against cyber threats.

In particular, the CSA expects Issuers, Registrants and Regulated Entities to do the following:

  • Issuers: Provide detailed and entity specific cyber risk disclosure, and maintain a cyber-attack remediation plan that outlines how the materiality of an attack is assessed to determine “whether and what, as well as when and how, to disclose in the event of an attack.” When assessing materiality, issuers should consider factors such as “impact on the company’s operations and reputation, its customers, employees and investors.”
  • Registrants: Continue to remain vigilant in developing, implementing and updating their approach to security hygiene and management, and review and follow the aforementioned guidance from self-regulatory organizations such as IIROC and the MFDA.
  • Regulated Entities: Examine and review their compliance with ongoing requirements outlined in securities legislation and terms of recognition, registration or exemption orders, including the need to have internal controls over their systems and to report security breaches. As well, adopt a cyber security framework provided by a regulatory authority or standard-setting body tailored to their size and scale – one size does not fit all.

Though this Notice is not binding, it would be unwise to disregard the guidance contained therein, especially given the significant liability and reputational damage that can result from having an inadequate cyber risk management program. Further, as cyber security has been identified as a priority area for the CSA going forward, you can be sure that the sufficiency of market participants’ cyber programs will be under increased scrutiny.