CSA Staff Notice 11-326
Cyber Security
September 26, 2013
Strong and tailored cyber security measures are an important element of issuers’, registrants’ and
regulated entities’
1
controls in promoting the reliability of their operations and the protection of
confidential information. The risk of a major cyber attack on key Financial Market
Infrastructure (FMI) has been highlighted by the International Organization of Securities
Commissions (IOSCO) and the World Federation of Exchanges (WFE) in a recent report issued
July 16, 2013.
2
The IOSCO report defines cyber crime as “a harmful activity, executed by one group (including
both grassroots groups or nationally coordinated groups) through computers, IT systems and/or
the internet and targeting the computers, IT infrastructure and internet presence of another
entity.” Although cyber threats have existed in the past, more recently two major types of cyber
threats, Denial of Service (DoS) attacks and Advanced Persistent Threats (APT), have increased
in frequency and sophistication.
To manage the risks of a cyber threat, issuers, registrants and regulated entities should be aware
of the challenges of cyber crime and should take the appropriate protective and security hygiene
measures necessary to safeguard themselves and their clients or stakeholders.
Specifically:
•
Issuers, registrants and regulated entities who have not considered the risks of cyber
crime to date should consider how they can best address the risks of cyber crime. Steps
they could take include:
o
educating staff on the importance of, and their role in, ensuring the security of
their firm’s and client information and computer security;
o
following guidance and best practices from industry associations and recognized
information security organizations; and
o
as appropriate, conducting regular third party vulnerability and security tests and
assessments.
•
Issuers, registrants and regulated entities that have already taken steps to address the issue
should review their cyber security risk control measures on a regular basis.
1
Regulated entities include self-regulatory organizations, marketplaces, clearing agencies and information processors.
2
“Cyber-crime, securities markets and systemic risk”, joint staff working paper of the IOSCO Research Department and World
Federation of Exchanges, July 16, 2013.
Issuers should consider whether the cyber crime risks to them, any cyber crime incidents they
may experience, and any controls they have in place to address these risks, are matters they need
to disclose in a prospectus or a continuous disclosure filing.
Registrants should consider whether their risk management systems allow them to manage the
risks of cyber crime in accordance with prudent business practices.
Regulated entities, especially those that are key market infrastructure entities, should consider
the measures necessary to manage the risks of cyber crime.
Future Action
The CSA will consider these issues in its reviews of issuer disclosure and in its oversight of
registrants and regulated entities.
Questions and comments
Questions and comments may be referred to:
Noreen C. Bent
Manager, Corporate Finance Legal Services
British Columbia Securities Commission
604 899 6741
nbent@bcsc.bc.ca
Tom Graham
Director, Corporate Finance
Alberta Securities Commission
403 297 5355
tom.graham@asc.ca
Samad Uddin
Senior Economist, Strategy and Operations Branch
Ontario Securities Commission
416 204 8950
suddin@osc.gov.on.ca
Leslie Byberg
Acting Director, Strategy and Operations Branch
Ontario Securities Commission
416 593 2356
lbyberg@osc.gov.on.ca
Élaine Lanouette, CPA, CA
Directrice des bourses et des OAR
Direction principale de l'encadrement des structures de marché
Autorité des marchés financiers
Téléphone : 514 395-0337 poste 4321
Sans frais: 1 877 525-0337 poste 4321
Elaine.Lanouette@lautorite.qc.ca
Kevin Hoyt
Director, Securities
Financial and Consumer Services Commission (New Brunswick)
506 643 7691
kevin.hoyt@fcnb.ca
You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.