March 15, 2019
Introduction
Staff of the Canadian Securities Administrators (CSA Staff or we) have been examining the requirements in National Instrument 21-101 Marketplace Operation (NI 21-101) and in National Instrument 23-101 Trading Rules (NI 23-101) (together, Marketplace Rules) in respect of the reporting of material systems incidents by recognized exchanges (Exchanges) and alternative trading systems (ATSs) (together, Marketplaces) carrying on business in the jurisdictions of the Canadian Securities Administrators (CSA). We have also been reviewing the practices set out around those requirements in various recognition orders, rules and other sources of regulatory guidance. The purpose of our review was to update and, where appropriate, to align the regulatory requirements and processes for a marketplace’s initial notification, follow-up notification(s), notification of resumption of service and post-mortem report of a material systems incident to the CSA and to the public.
This Notice contains the following annexes:
- Annex A – Marketplace Regulatory Incident Reporting Guidelines (including Schedule A – Reportable Incident Information)
Substance and Purpose
This Notice summarizes the key regulatory requirements with respect to the reporting of a material systems incident[1] by marketplaces. Annex A – Marketplace Regulatory Incident Reporting Guidelines (Guidelines) sets out CSA Staff’s expectations with respect to incident reporting. The Notice also describes CSA Staff’s process for reviewing a marketplace’s notification of a material systems incident as well as our role in addressing a material systems incident.
Current Requirements and Expectations
Reporting of Material Systems Incidents
Paragraph 12.1(c) of NI 21-101 requires, in part, a marketplace to promptly notify securities regulators and, if applicable, its regulation services provider (RSP) of any material systems failure, malfunction or delay. With respect to what constitutes “material”, subsection 14.1(4) of Companion Policy 21-101CP states that the CSA considers a failure, malfunction or delay to be “material” if the marketplace would in the normal course of operations escalate the matter to or inform its senior management ultimately accountable for technology. For the purpose of paragraph 12.1(c) of NI 21-101, the determination of the materiality of a systems failure, malfunction or delay is made by the marketplace.[2]
With respect to “promptly notify the regulator” under paragraph 12.1(c) of NI 21-101, our expectation is that a marketplace will notify the CSA of a material systems incident, orally or in writing, upon escalating the matter to its senior management.
Further, under subsection 6.3(1) of NI 23-101, if a marketplace experiences a failure, malfunction or material delay of its systems, equipment or its ability to disseminate marketplace data, the marketplace must immediately notify:
(a) all other marketplaces;
(b) all regulation services providers;
(c) its marketplace participants; and
(d) any information processor or, if there is no information processor, any information vendor that disseminates its data under Part 7 of NI 21-101.
Although a marketplace may broadcast general public announcements pursuant to subsection 6.3(1) of NI 23-101, generic public notification does not qualify as notification to the regulator under paragraph 12.1(c) of NI 21-101, even if CSA Staff subscribe to, and receive, a marketplace’s public announcements. To comply with the notification requirement under paragraph 12.1(c) of NI 21-101, designated personnel of the marketplace must contact CSA Staff directly, orally or in writing, upon escalating the matter to its senior management.
In addition to initial notification, paragraph 12.1(c) of NI 21-101 also requires that for specified systems, a marketplace must “provide timely updates on the status of the failure, malfunction, delay or security breach, the resumption of service and the results of the marketplace’s internal review of the failure, malfunction, delay or security breach.”
As a result of the initiative to align requirements for all marketplaces, section 13 of the Guidelines clarifies CSA Staff’s expectations with respect to the information that should be included in a marketplace’s initial notification, follow-up notification(s), notification of resumption of service and post mortem report of a material system incident.
Periodic Reporting of Systems Outages
Form 21-101F3 requires, in part, the reporting of any outages that occurred at any time during the period for any system relating to trading activity, including trading, routing or data. For each outage, a marketplace is required to provide the date, duration and, reason for the outage and its resolution. The information reported by a marketplace in Form 21-101F3 summarizes all the outages that were required to be reported by the marketplace under paragraph 12.1(c) of NI 21-101 during the previous quarter.
Overview of CSA Staff’s Role
Notification of material systems incidents provides CSA Staff with information about any material event related to a marketplace’s production systems or networks. Steps taken in addressing a material systems incident include identifying CSA Staff that will be involved in responding, communicating with the CSA and, where appropriate, other regulators and developing recommendations for determining an appropriate course of action[3].
The objective of the filing and review of a marketplace’s notification of a material systems incident is to foster fair and efficient capital markets and confidence in those markets. Consequently, we expect an appropriate degree of transparency and timely notification of a material systems incident to the CSA, RSPs and the public. Timely notification is important so that the CSA, investors and market participants may be better informed as to how a material systems incident impacts the operations of an affected marketplace and the market as a whole, and thus take appropriate steps in the event of loss of service.
To facilitate the reporting of material systems incident by marketplaces, CSA Staff has developed the Guidelines at Annex A. The Guidelines are intended to summarize a marketplace’s reporting obligations under the appropriate regulatory requirements and to provide transparency in respect of CSA Staff’s expectations for the timing, method of delivery and content of a marketplace’s notification of a material systems incident.
Questions
Please refer your questions to any of the following:
Christopher Byers Senior Legal Counsel, Market Regulation Ontario Securities Commission |
Alina Bazavan Senior Analyst, Market regulation Ontario Securities Commission |
Alex Petro Trading Specialist, Market Regulation Ontario Securities Commission apetro@osc.gov.on.ca |
Serge Boisvert Analyste en réglementation Direction des bourses et des OAR Autorité des marchés financiers serge.boisvert@lautorite.qc.ca
|
Herman Tan Senior Analyst, Market Structures Autorité des marchés financiers Herman.Tan@lautorite.qc.ca |
Sasha Cekerevac Senior Analyst, Market Structure Alberta Securities Commission |
Doug MacKay Manager, Market and SRO Oversight British Columbia Securities Commission |
|
ANNEX A
Marketplace Regulatory Incident Reporting Guidelines
Application
1. The Marketplace Regulatory Incident Reporting Guidelines (Guidelines) apply to recognized exchanges (Exchanges) and alternative trading systems (ATSs) (together, Marketplaces) carrying on business in the jurisdictions of the Canadian Securities Administrators (CSA) and are intended to facilitate incident reporting by Marketplaces to the CSA.
Requirements
2. Incident reporting is part of a Marketplace’s obligations under National Instrument 21-101 Marketplace Operation (NI 21-101). Each Marketplace is required to notify the appropriate securities regulatory authority when it experiences a material systems incident. Additionally, each Marketplace is required to inform the Investment Industry Regulatory Organization of Canada (IIROC) when it experiences a material systems incident.
3. The CSA requires information concerning material systems incidents involving a Marketplace in order to address the incident (as appropriate), to respond to inquiries from capital market participants, and to identify trends, all of which help the CSA manage systemic risk in the Canadian capital markets, and to otherwise assist in discharging its regulatory obligations.
4. The Guidelines are intended to summarize a Marketplace’s reporting obligations under the regulatory requirements and to provide guidance to Marketplaces in respect of CSA Staff’s expectations of how Marketplaces should comply with those requirements. The Guidelines are not intended to modify, amend, conflict with or override the regulatory requirements in any way or to create any new or different obligations on the part of a Marketplace.
Reportable Incidents
5. A Marketplace is required to report information about material events related to its production systems or networks. Specifically, paragraph 12.1(c) of NI-21-101 requires:
“…for each system, operated by or on behalf of the marketplace, that supports order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing, a marketplace must promptly notify the regulator and, if applicable, its regulation services provider, of any material systems failure, malfunction, delay or security breach…”
6. With respect to security breaches, subsection 14.1(2.1) of Companion Policy 21-101 CP Marketplace Operation (NI 21-101CP) states that:
“…a material security breach or systems intrusion is any unauthorized entry into any of the systems that support the functions listed in section 12.1 of the Instrument or any system that shares network resources with one or more of these systems. Virtually any security breach would be considered material and thus reportable to the regulator. The onus would be on the marketplace to document the reasons for any security breach it did not consider material.”
7. With respect to what constitutes “material”, subsection 14.1(4) of NI 21-101CP states that:
“…the Canadian securities regulatory authorities consider a failure, malfunction or delay to be “material” if the marketplace would in the normal course of operations escalate the matter to or inform its senior management ultimately accountable for technology.”
8. For the purpose of paragraph 12.1(c) of NI 21-101, the determination of the materiality of a systems failure, malfunction or delay is made by the Marketplace.[4]
9. For purposes of these Guidelines, reportable incidents do not include a Marketplace’s regulatory reporting requirements which arise in the normal course of business or operations such as periodic reporting or filing obligations, prior notice or prior approval requirements, or notifications of changes or applications for regulatory approval or decision, or a Marketplace’s reporting obligations to participants or other stakeholders.
10. If Marketplace staff are uncertain of whether to report an incident, they should contact CSA Staff to discuss. If Marketplace staff report an event that does not require follow-up, CSA Staff will advise that no further reporting is necessary for the incident.
Reportable Incidents: Reporting Content and Lifecycle
11. Reportable incidents pursuant to paragraph 12.1(c) of NI-21-101 require “prompt” notification to the regulator and, if applicable, the marketplace’s RSP. Our expectation is that a Marketplace will provide initial notification to the regulator and, if applicable, the marketplace’s RSP of a material systems incident, orally or in writing, immediately upon escalating the matter to its senior management.
Although a Marketplace may broadcast general public announcements pursuant to subsection 6.3(1) of National Instrument 23- 101 Trading Rules (NI 23-101), generic public notification does not qualify as notification to the regulator under paragraph 12.1(c) of NI-21-101, even if CSA Staff subscribe to, and receive, a Marketplace’s public announcements.
12. Notification should consist of an initial notification, one or more follow-up notification(s) to provide updates on the status of the failure, if appropriate, notification of the resumption of service and a post-mortem report.
a. Initial Notification
The initial notification should be provided orally or in writing and consist of:
i. a brief description of the nature of the incident;
ii. the date and time when the incident was identified;
iii. system(s) impacted by the incident;
iv. the manner in which it was identified;
v. any initial mitigation actions and/or planned next steps;
vi. brief description of how information is being communicated to Marketplace participants and other stakeholders;
vii. if known, the anticipated duration of the incident and the potential impact to the Marketplace, its participants and/or the capital markets; and
viii. any other information specified in Schedule A that is applicable and available at the time of the initial notification.
b. Follow-up Notification(s)
i. A Marketplace should provide timely updates respect to changes in:
1. the system(s) impacted by the incident;
2. the impact to the Marketplace, its participants and/or the capital markets, and;
3. the anticipated duration of the incident.
ii. If a Marketplace determines that, having followed its internal processes, it will not resume service for an extended period of time or, in any event, will not resume service by the end of the day on which the incident first occurred, the marketplace should notify the regulator and, if applicable, its regulation services provider prior to notifying marketplace participants of that determination.
iii. A Marketplace should provide the regulator with a detailed incident report by email as soon as practicable. We expect a Marketplace to provide a detailed incident report no later than 5 business days following the discovery of the incident. The report should include all the information described in Schedule A that is applicable and known to the Marketplace at that time and not already provided to the regulator in the initial notification.
iv. If the underlying cause of the incident has not been identified and adequately remediated by the time the follow-up notification is provided, we expect the Marketplace to provide daily updates on progress until the incident has been fully resolved.
c. Notification of Resumption of Service
Immediate notification of resumption of service should be provided orally or in writing to the regulator and, if applicable, the marketplace’s RSP, on resumption of normal service and should consist of:
i. the date and time of resumption of service;
ii. changes in services available; and
iii. a brief description of outstanding issues.
d. Post Mortem Report
A Marketplace should provide a detailed post mortem report. We expect a Marketplace to provide a detailed post mortem report no later than 15 business days after the incident has been fully resolved. This report should include any applicable information described in Schedule A that has not already been reported to regulators or any revision to such information.
Confidential Information
13. A Marketplace should communicate confidential matters to the CSA in accordance with a key staff contact list, which the Marketplace should maintain and update on a regular basis.
Schedule A
Reportable Incident Information
This Schedule A to the Guidelines provides additional information points that marketplaces should consider including in the various notifications and reports referred to in section 12 of the Guidelines, as applicable. In particular, marketplaces should consider including the following information, as applicable, in the initial notification under paragraph 12.a., the detailed incident report under subparagraph 12.b.ii., and the post-mortem report under paragraph 12.d.
1. When did the incident occur? Specify the relevant date(s) and the time interval over which the incident occurred.
2. Provide details of the incident.
3. What is the root cause of the incident, e.g. human error, process error, system (hardware, software) issue, external issue?
4. What is the impact of the incident on the Marketplace, its participants and other stakeholders?
Provide information on:
i. the nature of the disruption;
ii. the duration of the delay or outage;
iii. other core systems impacted;
iv. actual or potential risk exposure;
v. the financial impact; and
vi. criteria used to determine whether the incident impacts the ability of the Marketplace to provide a “fair and orderly market”.
5. Information about any clearing issues or disruption of domestic or cross-border trade, if applicable.
6. When was the incident identified?
7. How was the incident identified?
8. Has the incident been rectified? If yes, explain how and when the incident was rectified. If no, detail the actions that are planned to rectify the incident, including the associated controls. Include detail on the expected timeframe to complete these actions. If not applicable, explain why.
9. Detail any further changes to the Marketplace’s systems, procedures or controls that have been made or are planned as a result of the identification of the incident.
10. Provide any additional information pertaining to this matter.
11. Where it becomes reasonably likely that a reportable incident will materialize, the report should include details of the potential incident, its probability of occurring, an estimate as to when the incident may occur, its estimated potential impact, and any mitigation or preventative actions taken or planned.
[1] In this notice, “material systems incident” refers to a material systems failure, malfunction, delay or security breach that affects a system, operated by or on behalf of the marketplace, that supports order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing as required under subsection 12.1 of NI-21-101 System Requirements.
[2] In Ontario, the Automation Review Program (ARP) was established in 2002 to provide a framework for the regulatory oversight of systems capacity and reliability for certain market infrastructure entities, including recognized exchanges and clearing agencies carrying on business in Ontario. Among other things, the ARP provided for the immediate reporting of material system incidents and suggested that the determination of materiality should relate to the impact that the loss of service will have on marketplace participants generally. (Please refer to http://www.osc.gov.on.ca/en/19930.htm)
[3] Please refer to CSA Staff Notice 11-338 CSA Market Disruption Coordination Plan at http://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20181018_11-338_market-disruption-coordination-plan.htm
[4] In Ontario, the Automation Review Program (ARP) was established in 2002 to provide a framework for the regulatory oversight of systems capacity and reliability for certain market infrastructure entities, including recognized exchanges and clearing agencies carrying on business in Ontario. Among other things, the ARP provided for the immediate reporting of material system incidents and suggested that the determination of materiality should relate to the impact that the loss of service will have on marketplace participants generally. Please refer to http://www.osc.gov.on.ca/en/19930.htm