The Canadian Securities Administrators ("CSA") published the results of the CSA's survey of cybersecurity and social media practices of registered firms dealing in securities and guidelines on how to minimize the risks posed by cyber threats and social media.
Fifty-one percent of firms surveyed had experienced a cybersecurity incident in 2016.
Addressing the risks posed by cyber threats and the use of social media is a requirement under Section 11.1 of National Instrument 31-103, which mandates that registered firms: "establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to (a) provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation, and (b) manage the risks associated with its business in accordance with prudent business practices."
The CSA recommends that registered firms do as follows to minize the risk:
- All firms should have policies and procedures that address, among others, the use of electronic communications, the use of firm-issued electronic devices, reporting cybersecurity incidents, and vetting third-party vendors and service providers.
- Firms should conduct a cyber risk assessment at least annually and review the firm's cybersecurity incident response plan to see whether changes are necessary.
- Firms should have a written incident response plan, which should include the different types of cyber attacks; who is responsible for communicating about an incident; procedures to stop the incident from causing further damage; and data recovery and investigation procedures.
- Firms should periodically evaluate the adequacy of their cyber security practices, including safeguards against cyber security incidents and the handling of such incidents by any third parties that have access to the firms' systems and data.
- In addition to using encryption for all computers and other electronic devices, the CSA expects firms to require passwords to gain access to these devices and recommends so-called "strong" passwords be required, and change with some frequency.
- Firms should review their existing insurance policies (e.g., financial institution bonds) to identify which types of cyber security incidents, if any, are covered.
- Firms should have appropriate approval and monitoring procedures for social media communications.