On October 19, 2017, the Canadian Securities Administrators (“CSA”), representing provincial and territorial securities regulators, issued CSA Staff Notice 33-321 – Cyber Security and Social Media (the “Notice”). The Notice serves to publish the results of the CSA’s survey of cybersecurity and social media practices of registered firms dealing in securities, including those registered as investment fund managers, portfolio managers, and exempt market dealers.
The survey was the result of a CSA initiative following the release of CSA Staff Notice 11-332 – Cyber Security in September 2016 in which CSA announced its intention to determine the materiality of cybersecurity risks. Social media and its surrounding challenges for registered firms were previously discussed in the CSA’s Staff Notice 31-325 – Marketing Practices of Portfolio Managers in 2011.
Importantly, issues concerning cybersecurity gain new prominence with the release of this Notice. The Notice emphasizes that addressing the risks posed by cyber threats and the use of social media is required to comply with business obligations imposed by Section 11.1 of National Instrument 31-103 (“NI 31-103”), the Instrument that outlines registrant requirements and obligations. Specifically, Section 11.1 requires registered firms to “establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation and manage the risks associated with its business in accordance with prudent business practices.”
Over Half of Registered Firms Experienced a Cyber Security Incident
Conducted between October 11, 2016 and November 4, 2016, the survey sampled responses from 63% of the 1000 firms invited to participate. Overall, the survey found that 51% of firms experienced a cybersecurity incident in 2016, including phishing (43%), malware incidents (18%), and fraudulent email attempts to transfer funds or securities (15%).
The survey questions focused, among others, on the areas of cybersecurity incidents, policies, and incident response plans; social media policies and practices; due diligence to assess the cybersecurity practices of third-party vendors and service providers; encryption and backups; and the frequency of internal cyber risk assessments.
Cybersecurity Policies, Procedures and Training
Specifically, for the areas identified, the survey found that:
- Only 57% of firms have specific policies and procedures to address the firm’s continued operation during a cybersecurity incident.
- Only 56% of firms have policies and procedures for cybersecurity training for employees.
- 9% of firms have no policies and procedures concerning cybersecurity at all.
- 18% of firms do not provide cybersecurity-specific training to employees.
Guidance: The resulting CSA guidance indicates that all firms should have policies and procedures that address, among others, the use of electronic communications; the use of firm-issued electronic devices; reporting cybersecurity incidents; and vetting third-party vendors and service providers. Training of employees on cyber risks, including the privacy risks associated with the collection, use, or disclosure of data, should take place with “sufficient frequency to remain current”, with a recognition that training more frequent than on an annual basis may be necessary.
Cyber Risk Assessments
The Survey found that most firms perform risk assessments at least annually to identify cyber threats. However, 14% of firms indicated that they do not conduct this type of assessment at all.
Guidance: In response, the CSA guidance indicates that firms should conduct a cyber risk assessment at least annually, including a review of the firm’s cybersecurity incident response plan to see whether changes are necessary. The risk assessment should include:
- an inventory of the firm’s critical assets and confidential data, including what should reside on or be connected to the firm’s network and what is most important to protect;
- what areas of the firm’s operations are vulnerable to cyber threats, including internal vulnerabilities (e.g., employees) and external vulnerabilities (e.g., hackers, third-party service providers);
- how cyber threats and vulnerabilities are identified;
- potential consequences of the types of cyber threats identified; and
- adequacy of the firm’s preventative controls and incident response plan, including evaluating whether changes are required to such a plan.
Cybersecurity Incident Response Plans
On cybersecurity incident response plans, the Survey results indicated that 66% of firms have an incident response plan that is tested at least annually. However, a quarter of firms surveyed had not tested their incident response plans at all.
Guidance: The CSA guidance stipulates that firms should have a written incident response plan, which should include:
- who is responsible for communicating about the cyber security incident and who should be involved in the response to the incident;
- a description of the different types of cyber attacks (e.g., malware infections, insider threats, cyber-enabled fraudulent wire transfers) that might be used against the firm;
- procedures to stop the incident from continuing to inflict damage and the eradication or neutralization of the threat;
- procedures focused on recovery of data;
- procedures for investigation of the incident to determine the extent of the damage and to identify the cause of the incident so the firm’s systems can be modified to prevent another similar incident from occurring; and
- identification of parties that should be notified and what information should be reported.
Due Diligence on Third Party Providers
Almost all firms surveyed indicated they engaged third-party vendors, consultants, or other service providers. Of these firms, a majority conduct due diligence on the cyber security practices of these third parties. However, the extent of the due diligence conducted and how it is documented vary greatly
Guidance: The CSA Guidance states that firms should periodically evaluate the adequacy of their cyber security practices, including safeguards against cyber security incidents and the handling of such incidents by any third parties that have access to the firms’ systems and data. In addition, firms should limit the access of third-party vendors to their systems and data.
Written agreements with these outside parties should include provisions related to cyber threats, including a requirement by third parties to notify firms of cyber security incidents resulting in unauthorized access to the firms’ networks or data and the response plans of the third parties to counter these incidents.
Where firms use cloud services, they should understand the security practices that the cloud service provider has to safeguard from cyber threats and determine whether the practices are adequate. Firms that rely on a cloud service should have procedures in place in the event that data on the cloud is not accessible.
Encryption is one of the tools firms can use to protect their data and sensitive information from unauthorized access. However, the survey responses indicate a sizeable number of firms do not use any encryption or rely on other methods of data protection, such as password protected documents. In addition, almost all firms surveyed indicated they back up data, but the frequency of such back ups varied.
Guidance: The CSA’s view is that encryption protects the confidentiality of information as only authorized users can view the data. In addition to using encryption for all computers and other electronic devices, the CSA expects firms to require passwords to gain access to these devices and recommends so-called “strong” passwords be required, and change with some frequency.
Where firms provide portals for clients or other third parties for communication purposes or for accessing the firm’s data or systems, firms should ensure the access is secure and data is protected.
Firms are expected to back up their data and regularly test their back-up process. Also, when backing up data, firms should ensure that the data is backed up off-site to a secure server in case there is physical damage to the firms’ premises
A majority of firms (59%) do not have specific cyber security insurance and for those that do, the types of incidents and amounts that their policies cover vary widely.
Guidance: The CSA guidance states that firms should review their existing insurance policies (e.g., financial institution bonds) to identify which types of cyber security incidents, if any, are covered. For areas not covered by existing policies, firms should consider whether additional insurance should be obtained.
The focus of this part of the Notice was on the fact that social media may be used as a vehicle to carry out cyber attacks. For example, social media sites may be used by attackers to launch targeted phishing emails or links on these sites may lead to websites that install malware.
For social media specifically, firms should review, supervise, retain, and have the ability to retrieve social media content. Policies and procedures on social media practices should cover:
- the appropriate use of social media, including the use of social media for business purposes;
- what content is permitted when using social media;
- procedures for ensuring that social media content is current;
- record keeping requirements for social media content; and
- reviews and approvals of social media content, including evidence of such reviews and approvals.
In addition, given the ease with which information may be posted on social media platforms, the difficulty of removing information once posted and the need to respond in a timely manner to issues that may arise, the CSA states that firms should have appropriate approval and monitoring procedures for social media communications. This applies even if firms do not permit the use of social media for business purposes, because policies and procedures should be in place to monitor for unauthorized use.
The Notice advises that CSA staff will continue to review the cyber security and social media practices of firms through compliance reviews. It notes further that CSA staff will apply the information and guidance in this Notice when assessing how firms comply with their obligations to manage the risks associated with their business as set out in NI 31-103.
Firms registered to deal in securities are advised to adopt cybersecurity policies and procedures, including an incident response plan, to ensure compliance with registrant obligations under NI 31-103. The Notice underscores that cyber threats are ever-changing and preparedness and vigilance are key to ensure risk mitigation.