Earlier this year, we reported on continuing efforts by the Canadian Securities Administrators (the CSA) to inform the market about cyber security best practices with the publication of Multilateral Staff Notice 51-347 which concerned the disclosure of cyber security, attacks, and risks.
The CSA’s efforts continue with CSA Staff Notice 33-321 (the Staff Notice) as the CSA turns its attention to firms’ social media practices.
Eat your vegetables, floss every day, and mind your cyber security
In coordination with regulators worldwide, the CSA continues to press for firms to treat cyber security as a key part of its ordinary business practices. The CSA has identified cyber security as a priority area in its 2016-2019 Business Plan, and has taken a variety of initiatives to educate the market about the growing frequency, magnitude and complexity of cyber attacks. Suck attacks can range between receiving fraudulent invoices to co-ordinated “ransomware” attacks.
Media reports of targeted cyber attacks on large companies continued to roll in over the previous year. Victims include companies such as Yahoo, BNP Paribas, Sony, and Equifax. Even the U.S. Securities Exchange Commission has announced that they may have been a victim of such an attack.
The CSA’s Staff Notice flagged some of the important findings of its November 2016 survey of Canadian issuers, including findings that:
- approximately 51% of surveyed firms experienced a cyber security incident in the year surveyed;
- phishing was the most common reported incident, experienced by 43% of surveyed firms;
- malware incidents and impersonation attempts were reported by 18% and 15% of surveyed firms, respectively;
- only 57% of surveyed firms had specific policies and procedures in place regarding continued operation during a cyber security incident and only 56% have policies and procedures for the training of employees about cyber security;
- 14% of surveyed firms do not conduct an annual cyber security risk assessment;
- 92% of surveyed firms have engaged third-party vendors or consultants, with the majority of surveyed firms conducting due diligence on the security practices of these third parties; and
- 59% of surveyed firms do not have specific cyber security insurance.
The Staff Notice then set out some guidance in respect to how firms should respond to cyber security risks, including that firms should:
- have specific policies and procedures addressing the use of electronic communication, the use of firm-issued electronic devices, the detection of unauthorized activity, and the reporting to appropriate personnel;
- educate employees, who are often the first line of defence against an attack, on the risks associated with data they may collect, as well as the changing nature of cyber threats;
- conduct risk assessments at least annually on the inventory of the firm’s critical assets and confidential data, areas of the firm’s operations that are vulnerable to cyber threats, and the adequacy of the firm’s preventative controls and incident response plan;
- develop a written incident response plan outlining who is responsible for disclosing cyber security incidents, the type of incidents that may occur, procedures to stop an occurring incident, procedures for the recovery of data, and investigation of the incident to determine the extent of damage and future preventative measures;
- periodically evaluate the adequacy of safeguards against cyber security incidents and the handling of these incidents by any third parties that has access to the firms’ systems and data, include cyber security provisions in written agreements with such third parties, understand the security practices of any cloud services used, and have procedures in place in the event that data stored on cloud services is not accessible;
- encrypt and password protect all electronic devices, ensure secure access to portals used for accessing the firm’s systems and data, and regularly back-up and test back-up processes; and
- review existing insurance policies to ensure coverage of cyber security incidents.
Securities law meets your firms’ Instagram page
The Staff Notice also warns that social media may be used as a vehicle to carry out cyber attacks, particularly phishing or malware attacks. The CSA’s Staff Notice pointed to statistics gathered for the purpose of publishing a previous staff notice, CSA Staff Notice 31-325, which concerned record-keeping activities related to social media used by firms for marketing. In the cyber security context, the CSA noted that:
- firms should implement policies and procedures on the appropriate use of social media and for the review, approval, and record keeping of social media content; and
- firms should have approval and monitoring means for social media communications and, if firms do not permit the use of social media, means of monitoring for unauthorized use.
The CSA continues to add to a library of publications on what firms should be doing in response to cyber security threats. It will not be long before Canadian securities regulators take a more active enforcement role against firms that fall behind the standard. We have already seen multiple class actions launched against firms that are the victim of a cyber attack, including Target, Home Depot, Avid Dating and Avid Life (Ashley Madison), and Equifax. We expect that Canadian regulators will be seeking opportunities for enforcement actions as we look forward to 2018.
The author would like to thank Alexandre Kokach, Student-At-Law, for his contribution to this article.