Canadian regulators have been pretty consistent over the last couple of years that registrants need to implement a cybersecurity program as part of its system of controls and risk management obligations. On October 19, 2017, the Canadian Securities Administrators (“CSA”) released Staff Notice 33-321 Cybersecurity and Social Media (“Staff Notice”) which provides results of a cybersecurity survey that was posed to registrants in October 2016, and provides some guidance on the regulator’s expectation regarding what a registrant’s cybersecurity and social media program should look like.
1) Policies and Procedures: There is a clear expectation that registrants have polices for their cybersecurity program and that registrants train employees regarding cybersecurity. Cyber policies should cover a number of areas including:
- electronic communications
- firm issued or firm connected devices
- software update and maintenance
- oversight of third party vendors that have access to technology infrastructure
- incident response plan to a cybersecurity incident
- employee training on topics including password strength, handling confidential information, suspicious emails and escalating cyber security incidents.
2) Risk Assessments: A firm should do an inventory (at least annually) on the areas of operation most vulnerable to cyber threats and what assets (such as client information) would be exposed if those operations were to be compromised. If exposed, a registrant should have an incident response plan to control the damage. This incident response plan should be tested annually.
3) Third Party Vendors: A registrant should be conducting due diligence on the vendors that have access to the firm’s technology systems. Furthermore, registrants should be adding cybersecurity and privacy information in their service provider contracts including an obligation on the service provider to inform the registrant if it has been part of a cybersecurity incident. We recommend that you speak to us to ensure you are addressing cybersecurity considerations in your service provider contracts.
4) Data Protection: Registrants should be encrypting/securing their data by ensuring passwords are required for access to sensitive information and that data is backed up and preserved at an offsite location.
5) Cyber Insurance: The Staff Notice notes that 59% of registrants currently do not have cybersecurity insurance.
6) Small and Medium Sized Firms: The Staff Notice indicates that many respondents to the survey believed their cybersecurity risk to be low due to the size of their firm. The Staff Notice makes it clear that the financial industry is a known target of cyber-attacks. Accordingly, regardless of size, registrants should ensure they have a strong cybersecurity program.
7) Social Media: Registrants must have policies and procedures in place to monitor employees for unauthorized use with respect to social media.