On October 19, 2017, the Canadian Securities Administrators (“CSA”) published Staff Notice 33-321 Cyber Security and Social Media to report on a survey of cybersecurity and social media practices by firms registered to trade securities or to advise clients regarding securities, and to provide guidance regarding cybersecurity and social media practices. The Staff Notice supplements the CSA’s 2016 Staff Notice 11-332 Cyber Security.
2016 Staff Notice
The CSA’s 2016 Staff Notice 11-332 Cyber Security emphasizes the need for firms to follow guidance issued by regulatory authorities and standards organizations to proactively manage cyber risks and prepare for cybersecurity incidents. The Notice highlights the importance of cyber risks for securities market participants, references relevant standards and guidance documents, and sets out general expectations for firms’ cyber risk management activities. For more information, see BLG bulletin Cyber Risk Management – Regulatory Guidance from the Canadian Securities Administrators.
2017 Staff Notice
The CSA’s 2017 Staff Notice 33-321 Cyber Security and Social Media reports on the results of a survey of firms’ cybersecurity and social media practices. The Staff Notice reminds that securities market participants are a known target of cyber criminals, and emphasizes that all firms, regardless of size or functions outsourced to related entities, should have appropriate cybersecurity policies and procedures. The Staff Notice provides specific guidance for cybersecurity practices relating to the following issues: (1) policies/procedures; (2) training; (3) risk assessments; (4) incident response plan; (5) service provider due diligence; (6) data protection; and (7) insurance.
The CSA’s guidance is generally consistent with similar guidance issued by other regulators and self-regulatory organizations. For example, see the following BLG bulletins: New York State Cybersecurity Regulation for Financial Services Companies; Cybersecurity Guidance from Investment Industry Organization (May 2016); Cybersecurity Guidance from Investment Industry Organization (January 2016); U.S. Securities and Exchange Commission Issues Cybersecurity Guidance Update; Cyber Risk Management Guidance for Corporate Directors; Cyber-Risk Management Guidance from Financial Institution Regulators; Regulatory Guidance for Cyber Risk Self-Assessment.
Read more here.