Warning of an increase in cybercrime, regulators said they will consider how firms are ensuring security of client and sensitive data as part of their reviews of issuer disclosure and in its oversight of regulated entities.
Canadian Securities Administrators (CSA), the association of provincial and territorial regulators, in a staff notice said strong and tailored cyber security measures are an important element of issuers’, registrants’ and regulated entities’ controls in promoting the reliability of their operations and the protection of confidential information.
“The risk of a major cyber-attack on key Financial Market Infrastructure (FMI) has been highlighted by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) in a recent report,” CSA said.
The CSA warned that there two major types of cyber threats, Denial of Service (DoS) attacks and Advanced Persistent Threats (APT), have increased in frequency and sophistication.
To manage risks, it said issuers, registrants and regulated entities should be aware of the challenges of cybercrime and should take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients or stakeholders.
The CSA recommended that issuers, registrants and regulated entities consider how they can best address the risks of cybercrime. Recommended steps include educating staff on the importance of ensuring the security of their firm’s and client information and computer security; following guidance and best practices from industry associations and recognized information security organizations; and as appropriate, conducting regular third-party vulnerability and security tests and assessments.
The regulators also recommend that cyber-security risk-control measures are reviewed on a regular basis.
Issuers should also consider whether the cybercrime risks to them, any cybercrime incidents they may experience, and any controls they have in place to address these risks, are matters they need to disclose in a prospectus or a continuous disclosure filing.
Registrants should consider whether their risk management systems allow them to manage the risks of cybercrime in accordance with prudent business practices. Regulated entities, especially those that are key market infrastructure entities, should consider the measures necessary to manage the risks of cybercrime, the CSA said.
The CSA will consider these issues in its reviews of issuer disclosure and in its oversight of registrants and regulated entities.