CSA Comment on Registrants’ Cybersecurity and Social Media Practices
October 23, 2017
The Canadian Securities Administrators (CSA) have published Staff Notice 33-321 Cyber Security and Social Media (Staff Notice 33-321), which summarizes survey results of registered firms’ cybersecurity and social media practices, and provides guidance on each of the survey topics, reflecting the CSA’s expectation that registered firms will be vigilant to safeguard themselves and their clients from cyber threats.
Last year, the CSA surveyed the cybersecurity and social media practices of 630 registered firms (consisting of exempt market dealers, portfolio managers and investment fund managers).
The CSA emphasized the cybersecurity risks for market participants last year in Staff Notice 11-332 Cyber Security (see our November 2016 Blakes Trends in Technology: Key Insight on Fintech and Cybersecurity).
The compliance challenges associated with social media were previously discussed by the CSA in 2011 in Staff Notice 31-325 – Marketing Practices of Portfolio Managers. At that time, the focus was on record keeping and supervision; the particular concern now is hackers using information gleaned from social media to gain entry to a firm’s computer systems. Other CSA cautions on social media were discussed in our March 2017 Blakes Bulletin: New Medium, Same Expectations: CSA Cautions Canadian Public Issuers on Use of Social Media.
The CSA found that:
- 51 per cent of firms experienced cybersecurity incidents, of which:
- 43 per cent were phishing
- 18 per cent were malware
- 15 per cent were client impersonation incidents seeking to transfer funds or securities
- The majority of firms had cybersecurity policies and procedures, however, only:
- 57 per cent covered how the firm would operate during an incident
- 56 per cent addressed employee training
- Risk assessments were performed by most firms at least annually, however:
- 14 per cent of firms did not conduct risk assessments
- 25 per cent of firms with incident response plans had not tested such plans
- Almost all of the firms engaged third-party service providers or vendors. Of these firms:
- 68 per cent did due diligence on the third party’s cybersecurity practices
- 57 per cent addressed cybersecurity in their agreements with the third party
- 30 per cent of firms did not use encryption with respect to data protection
- All but four firms performed periodic back-ups
- 41 per cent of firms had specific insurance policies for cybersecurity
The CSA provided specific guidance for each area of the survey results.
Policies and Procedures
The CSA recommend that firms develop cybersecurity policies and procedures addressing:
- Use of electronic communications, devices (including loss or disposal) and public electronic devices or internet connections and verification of client electronic instructions
- Detection of unauthorized activity (internal and external) and updating of security software
- Oversight of third parties
- Reporting of incidents to the firm’s board of directors (or similar body)
Employee training is a crucial defence and should address risk recognition, safe use and security, and proper escalation of cybersecurity incidents. The CSA recommend that firms frequently conduct training programs so that they remain current.
The CSA recommend that risk assessments be conducted at least annually. In carrying out such assessments, the CSA recommend that firms:
- Identify their confidential data, critical assets and areas of vulnerability (internal and external)
- Review how vulnerabilities and threats are identified and outline potential consequences
- Evaluate their preventative measures and response plan, then make adjustments as required
Incident Response Plans
The CSA further recommend that firms ensure they have written response plans that delineate responsibilities with respect to incident response, communication and escalation, and that response plans outline:
- The types of attacks the firm may face
- How to neutralize such attacks
- How to recover data
It’s also recommended that firms develop response procedures regarding the investigation of incidents and the identification and notification of the affected parties.
Due Diligence of Third-Party Providers
According to the CSA, access to a firm’s data and systems should be limited and all written agreements with third-party service providers and vendors should address cybersecurity matters, including the third party’s duty to notify the firms of unauthorized access and their response plans. The CSA recommend that firms carry out periodic reviews of their cybersecurity and business continuity practices relating to third parties, including cloud service providers.
The CSA recommend that:
- All electronic devices be password protected and use encryption
- Any portals providing third parties with access to the firm’s systems or data be secure
- Data is backed up off-site and the back-up process is regularly tested
Firms are advised to review existing insurance policies to determine whether additional coverage is required.
The CSA found that:
- 59 per cent of firms had developed social media guidelines, but of those, only:
- 36 per cent had social media training policies and procedures
- 21 per cent had social media record-keeping policies
- Social media monitoring was prevalent among firms, however, only 14 per cent conducted real-time monitoring
- 46 per cent of firms conducted spot checks of employees’ use of social media for business purposes
Policies and Procedures
The CSA recommend that firms supervise posting of content on social media platforms and review and retain all content. Further, they advise social media policies address appropriate use, permitted content, content currency, record keeping and the review and approval of content (including evidence thereof).
Monitoring Social Media Activity
Firms are advised to implement procedures for approving and monitoring social media content. If social media use is not permitted for business purposes, firms should still monitor such activities for unauthorized use.
Staff Notice 33-321 concluded by saying “CSA staff will continue to review the cyber security and social media practices of firms through compliance reviews.”
For further information, please contact:
or any other member of our Capital Markets group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue.
We would be pleased to provide additional details or advice about specific situations if desired.
For permission to reprint articles, please contact the Blakes Client Relations & Marketing Department at firstname.lastname@example.org. © 2019 Blake, Cassels & Graydon LLP