CSA Cybersecurity Roundtable Highlights Interconnectedness

Authors: Anna Beatch, Erin Smith

The Canadian Securities Administrators (the “CSA”) recently hosted a roundtable discussion to explore cybersecurity issues and responses to cybersecurity attacks. A key theme that emerged from the roundtable was the interconnected nature of Canada’s securities markets ecosystem.

In a recent blog post, we noted that the CSA 2016-2019 Business Plan identified the enhancement of cybersecurity as a priority for the CSA. We also discussed that the CSA published Staff Notice 11-332 to promote cybersecurity awareness and resilience among market participants. In this notice, the CSA set out recommendations related to cybersecurity for issuers, registrants and regulated entities, but indicated that the CSA intends to host roundtable discussions with these market participants to further discuss cybersecurity awareness and preparedness.

On February 27, 2017, the CSA hosted a roundtable discussion on cybersecurity, and summarized the discussions in Staff Notice 11-336.

The purpose of the roundtable was to explore cybersecurity issues and opportunities for advanced collaboration, communication and co-ordination in responding to large-scale cybersecurity incidents. The participants represented a number of Canadian securities market stakeholders, such as cybersecurity experts, regulatory authorities, issuers, registrants and regulated entities including marketplaces and clearing agencies.

Note: “Issuers” are entities that have outstanding securities, are issuing a security, or propose to issue a security. “Registrants” refers to anyone who trades or deals in securities, such as dealers, underwriters, advisers and investment fund managers.

The discussions highlighted the importance of co-operation and information sharing in responding to cybersecurity incidents given that cybersecurity incidents can potentially have far-reaching implications.

The discussions focused on the following issues:

  • the response of an entity subject to a cybersecurity attack, including who should be involved in decision-making and information sharing
  • the response of entities external to the affected entity (both upstream and downstream), including how they may minimize the impact of the cybersecurity attack
  • the response of entities to a market-wide cybersecurity attack, including how communication and co-ordination among organizations can be achieved
  • the scope of information that should be shared internally and externally in the event of a cybersecurity attack
  • factors that may contribute to collaboration, communication and co-ordination between entities and challenges relating to information sharing

The roundtable participants also discussed “incident response plans,” including plans for entities that are subject to a cybersecurity incident and entities that are indirectly affected by one.

Participants indicated that these plans are often comprehensive with regards to internal procedures in the event of a cybersecurity incident, but should also address co-ordination and information sharing with other stakeholders in the event of a market-wide cybersecurity incident. The participants also suggested that more formal co-ordination and communication channels may improve responses to a market-wide cybersecurity incident. Additionally, the participants discussed the need to test and update their incident response plans to ensure that they are effective and up-to-date (given that cybersecurity attacks are constantly becoming more sophisticated).

In light of the roundtable discussion and the CSA’s designation of cybersecurity as a priority, the CSA will continue to collaborate with market participants, stakeholders and other regulators to address cybersecurity issues and to enhance the effectiveness of responses, including a more formal co-ordination process.

In the meantime, issuers, registrants and regulated entities should continue to develop, implement and update their approach to cybersecurity management.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.