CSA reviews 73 firms, flags cybersecurity gaps and issues new guidance

The regulator flagged five weak spots - one tripped up most firms it reviewed

CSA reviews 73 firms, flags cybersecurity gaps and issues new guidance

Canada's securities regulators examined cybersecurity at 73 registered firms, found gaps at many of them and issued new guidance for dealers, advisers and fund managers.

The Canadian Securities Administrators published CSA Staff Notice 33-322 on July 15, 2026, closing out a compliance sweep that began in July 2025. The review looked at investment fund managers, portfolio managers, restricted portfolio managers and exempt market dealers, and measured their practices against section 11.1 of Regulation 31-103, which requires firms to manage business risks - including cyber threats - through adequate controls.

The regulators said many firms, particularly larger ones, already had strong programs. But the notice catalogues where others fell short, and the figures give advisers and their compliance teams a clear benchmark.

On written policies, 8 percent of firms had none at all, and 55 percent had policies that could be improved. Training was a weaker spot. Twenty-one percent of firms provided no cybersecurity training to employees. Among those that did train staff, another 21 percent could have made the training more comprehensive, and 16 percent kept little or no record that it happened.

Risk assessments drew similar comments. Staff said 45 percent of firms ran assessments that could have been more rigorous, and 12 percent had no documentation of an assessment during the review period. Oversight of outside vendors stood out. Every firm examined used third-party service providers with access to its systems or data, yet 41 percent could tighten their oversight and 62 percent kept little or no documentation of it.

Incident response planning showed the same pattern. Fifteen percent of firms had no written plan at all. Among those that had one, 53 percent could have made it stronger and 63 percent should have tested it more regularly. Separately, 62 percent of firms told staff they carry cybersecurity insurance, which the regulators described as helpful though not required.

The notice leans on scalability, telling smaller firms they need not match the frameworks of large institutions so long as real risks are addressed. It updates guidance the CSA first set out in 2017 and points firms back to that earlier notice.

Stan Magidson, the CSA chair who also leads the Alberta Securities Commission, said strong cybersecurity practices "are not optional in today's threat environment." Staff have already given compliance feedback to the firms they reviewed and expect every registrant to check its own practices for gaps.

The full text of CSA Staff Notice 33-322 Review of Registered Firms' Cybersecurity Practices and Additional Guidance is available at https://lautorite.qc.ca/fileadmin/lautorite/reglementation/valeurs-mobilieres/0-avis-acvm-staff/2026/2026juil15-33-322-avis-acvm-en.pdf.

LATEST NEWS