Data security breaches can affect anyone, including the regulators charged with overseeing regulated firms’ cyber-security controls. On July 27, the Canadian Securities Administrators (CSA) announced that a former contractor (ex-contractor) for the Government of Nunavut had electronically accessed information in the National Registration Database (NRD). The ex-contractor accessed personal information for a single registrant and business information for select registrants at a single, registered firm. The CSA appears to have discovered the breach only after the ex-contractor disclosed their unauthorized access to CSA staff, at which time the CSA terminated the individual’s access.

Although data threats from outsiders (e.g., criminals, statesponsored attackers and hacktivists) often attract more media attention, data threats from insiders (e.g., employees, contractors and business partners) have the potential to be equally destructive. Registered firms are expected to have effective cyber-security policies, controls and cyberincident response plans in place.