Canadian Securities Regulators Tells Registered Firms to Strengthen Cybersecurity After Review Finds Gaps
Key Takeaways
- CSA Reviews Cybersecurity at 73 Registered Firms: The regulator's focused compliance examination sweep assessed cybersecurity practices at 73 registered firms across areas including governance, employee training, risk assessments, third-party oversight, and incident response.
- Many Firms Show Strong Cybersecurity Practices: The CSA found that a number of firms examined, particularly larger registrants, had robust cybersecurity policies and procedures already in place.
- Examinations Identified Areas for Improvement: Despite generally positive findings, the review identified gaps where firms could strengthen their cybersecurity practices, and compliance feedback was provided to the relevant firms.
- New Guidance Is Intended for Firms of All Sizes: CSA Staff Notice 33-322 provides updated, practical, and scalable guidance that recognizes cybersecurity risks and available resources vary across large, small, and medium-sized registered firms.
- Regulators Expect Proactive Reviews: The CSA expects registered firms to assess their cybersecurity practices, identify any gaps, and take proactive steps to strengthen their cybersecurity frameworks where appropriate.
Deep Dive
The Canadian Securities Administrators did not set out to measure how many firms had suffered cyber incidents. Instead, it examined something more revealing: whether the safeguards meant to prevent those incidents were keeping pace with the way financial firms now operate.
Its conclusion, released Wednesday, is neither reassuring nor alarming. Many registered firms, particularly larger ones, have developed robust cybersecurity policies and procedures. Yet the review also found gaps that regulators believe warrant attention, prompting the publication of new guidance intended to help firms strengthen their cybersecurity frameworks before those weaknesses become more consequential.
The findings appear in CSA Staff Notice 33-322: Review of Registered Firms' Cybersecurity Practices and Additional Guidance, which follows a focused compliance examination sweep of 73 registered firms across Canada.
The sweep examined a broad cross-section of cybersecurity governance, including firms' cybersecurity policies and procedures, employee training, risk assessments and controls, oversight of third-party service providers, and incident response planning.
Overall, the CSA said many of the firms it examined had established strong cybersecurity programs, particularly among larger registrants. At the same time, the examinations identified areas where firms could strengthen their cybersecurity practices. Compliance feedback has been provided to the firms concerned to address those findings.
The notice is intended to do more than summarize the results of the examination. It also provides updated guidance designed to be practical and scalable for firms of different sizes, including small and medium-sized registrants. The CSA said the guidance recognizes that cybersecurity risks, operational complexity, and available resources vary across firms.
"The CSA wants to be clear with registrants that strong cybersecurity practices are not optional in today's threat environment," said Stan Magidson, Chair of the CSA and Chair and CEO of the Alberta Securities Commission.
Magidson said the guidance is intended to help firms establish and maintain cybersecurity practices that are appropriate to their size and operations while remaining responsive to an evolving threat landscape. He added that cybersecurity risks continue to grow as firms rely more heavily on digital tools, hybrid work arrangements, and online platforms to serve clients.
"We expect firms to review this guidance, assess their own cybersecurity practices, identify any gaps, and take proactive steps to address them," Magidson said. While the examinations found that many registered firms already have cybersecurity frameworks in place, he said they also identified areas where some firms could further strengthen their practices.
The CSA said its staff expect registered firms to maintain robust cybersecurity practices that are appropriate to their businesses and encouraged firms to use the notice to evaluate whether their existing cybersecurity programs can be improved in light of their current operations.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

