Canadian Securities Administrators Prioritize Cybersecurity

Published: October 13, 2016

Author: Anna Beatch

Categories: Corporate Finance & Securities, Corporate Governance, Innovation, Data and Technology, Privacy, Data Protection & Cybersecurity, Technology Projects & Transactions

Subscribe to MLT Aikins Insights

Authors: Anna Beatch, Erin Smith

This post was written prior to our January 2017 merger, under our previous firm name, MacPherson Leslie & Tyerman LLP.

We previously discussed how two American Senators introduced the Cybersecurity Disclosure Act of 2015 (the Bill) to promote transparency in the oversight of cybersecurity risks of publicly traded companies. Although the Bill is not yet law (it is currently under review by the Committee on Banking, Housing and Urban Affairs), it would require reporting companies to have a cybersecurity expert on their board, or explain why having such a board member is unnecessary.

While Canada does not have a similar regime in place, the Canadian Securities Administrators (CSA) Business Plan 2016-2019, which was published on July 7, 2016, identified the enhancement of cybersecurity as a priority for the CSA. Shortly thereafter, on September 27, 2016, CSA published CSA Staff Notice 11-332 (the 2016 Notice) to promote cybersecurity awareness and resilience among market participants given that cybersecurity attacks and cyber adversaries are becoming more sophisticated.

In the 2016 Notice, the CSA states that it “expects” issuers[1], registrants[2] and regulated entitles[3] to comply with the CSA’s various recommendations on cybersecurity. This is in contrast to CSA Staff Notice 11-326 (the 2013 Notice) which asked issuers, registrants and regulated entities to “consider” taking steps to address cybersecurity threats. This change in language from “consider” in 2013 to “expect” in 2016 underscores the increased importance the CSA is placing on cybersecurity.

The 2016 Notice sets out, among other things, CSA’s expectations of issuers, registrants and regulated entities with respect to their cybersecurity frameworks. CSA’s expectations include the following:

  1. Issuers: To the extent that an issuer has determined that cybercrime risk is a material risk, CSA expects issuers to disclose this and for such disclosure to be as entity specific and detailed as possible. If an issuer has a cyber attack remediation plan, CSA expects such plan to address how the issuer would assess the materiality of a cyber attack. The materiality of a cyber attack is relevant to determining whether, when and to what extent an issuer should disclose the cyber attack.  Note that the 2013 Notice suggested, among other things, that issuers consider whether they should disclose their cybercrime risk, cybersecurity risk control measures and cyber attacks. Since the publication of the 2013 Notice, some CSA members have found that many issuers do not have any disclosure or have boilerplate disclosure (disclosure that is not entity specific). According to the 2016 Notice, because there has been an increase in the frequency and sophistication of cyber attacks, CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months and anticipate publishing their findings and recommendations.
  2. Registrants: CSA expects registrants to remain vigilant in developing, implementing and updating their approach to cybersecurity management. CSA recommends that registrants follow guidance issued by self-regulatory organizations such as the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association.
  3. Regulated Entities: CSA expects regulated entities to review their compliance with ongoing requirements outlined in securities legislation, and to adopt a cybersecurity framework provided by a regulatory authority or standard-setting body.

The 2016 Notice also states that CSA intends to hold roundtable sessions with issuers, registrants and regulated entities to, among other things:

  1. discuss developments related to cybercrime risks and how to address such risks; and
  2. develop opportunities for greater collaboration and communication on issues of common concern relating to cybersecurity.

Issuers, registrants and regulated entities should consider whether they are meeting CSA’s expectations and whether they have the necessary experience and expertise to manage cybercrime risks and to safeguard themselves and their clients or stakeholders.

[1] “Issuers” are entities that: 1. have outstanding securities; 2. are issuing a security; or 3. propose to issue a security.

[2] “Registrants” includes all persons who trade or deal in securities, such as dealers, underwriters, advisers and investment fund managers.

[3] “Regulated entities” includes self-regulatory organizations, marketplaces, clearing agencies and information processors.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.