The most recent information from CSA on cybersecurity is set out in the summary of its roundtable discussion (released April 7, 2017) to explore response to cybersecurity incidents.

The summary of the roundtable discussion highlighted the following:

  • The importance of cooperation and information sharing in response to cybersecurity incidents;
  • The need for a robust Incident Response Plan (IRP) for entities, including those indirectly affected by a cyber incident;
    • IRPs should be detailed in order to prepare for a cyber incident. They should address internal procedures and also outline how to share key information and communicate with other stakeholders. Communication with others is especially important in case of a market-wide security incident affecting dealers, agencies, and other market participants.
  • Reliance on more formal communication channels for information sharing may contribute to improved response and recovery;
  • The need to test and update IRPs, including communication and coordination protocols; and
  • The public and private resources available to organizations that may be subject to a cybersecurity incident.

The summary further reinforced the expectations of regulated entities in this industry:

As highlighted in CSA Staff Notice 11-332 Cyber Security, CSA members expect that regulated entities examine and review their compliance with ongoing requirements outlined in securities legislation and terms and conditions of recognition, registration or exemption orders, which include the need to have internal controls over their systems and to report security breaches. CSA members also expect that registrants continue to remain vigilant in developing, implementing and updating their approach to cyber security hygiene and management.

It is reasonable to expect that the increased consideration of cybersecurity issues by the CSA will result in the establishment of an industry standard of cybersecurity hygiene and management. This industry standard will likely inform how organizations are assessed for liability to customers, employees, investors in the marketplace and others affected by a cybersecurity incident.