On October 18, 2018, the Canadian Securities Administrators (CSA) published CSA Staff Notice 11-338, CSA Market Disruption Coordination Plan (The Staff Notice), detailing the CSA’s plans to deal with a disruption in the Canadian capital markets, including one that stems from a large-scale cybersecurity incident.
In the Staff Notice, CSA staff note that market participants face potential risks relating to systems integrity and that the CSA has undertaken a number of measures related to systems requirements and cybersecurity to bolster the resilience of the capital markets in Canada and mitigate risk, as detailed, for example, in National Instrument 21-101 Marketplace Operation (NI 21-101) and National Instrument 24-102 Clearing Agency Requirements (NI 24-102). National Instrument 31-103 Registration Requirements, Exemptions, and Ongoing Registrant Obligations (NI 31-103) also include internal controls and systems requirements applicable to registrants.
Focusing on cybersecurity issues, the CSA has published two separate staff notices dealing with the matter, CSA Staff Notice 11-326 Cyber Security (the 2013 Notice) and CSA Staff Notice 11-332 Cyber Security (the 2016 Notice) and has hosted a roundtable of market participants and other stakeholders in 2017 and published CSA Staff Notice 11-336 Summary of CSA Roundtable on Response to Cyber Security Incidents as a result of this meeting.
The CSA defines a market disruption event as an event or series of events that prevent market participants from operating in a regular manner. While CSA staff note that while it is not possible to anticipate all market disruption events, they do note some possible disruption events, including those stemming from cybersecurity incidents, physical disasters, major geopolitical events, critical infrastructure disruptions, default of a key or integrated investment dealer, and disruptions on foreign marketplaces. The overarching goal of the CSA is to ensure that markets continue to be fair, efficient and orderly, and overall market integrity is not compromised.
An incident, such as a material systems failure, malfunction, delay or security breach, may not qualify as a market disruption event, but still will be material if the marketplace or clearing agency in the normal course of events would inform its senior management responsible for technology. Each registrant is required to notify its respective regulator when it experiences a material systems incident. Prompt notification of a material systems incident will put CSA staff on alert and, accordingly, they can consider whether the incident has market-wide implications, and thus qualify as a market disruption event.
In the event of a market disruption, CSA staff will identify the relevant actions that should be undertaken until an affected regulated entity has normalized operations. CSA staff have developed specific procedures for a cybersecurity event, that emphasize the speed at which the disruption advances, the risk of contagion and communication with other relevant federal and provincial organizations.
The CSA notes that when responding to an incident, it will first consider its materiality. CSA staff will gather information regarding the developing situation and, if necessary, will take action. In the event of a market disruption, the CSA will work with the participating jurisdictions and other external parties, including IIROC, MFDA, CIPF, OSFI and the Bank of Canada, where appropriate, and developing recommendations for determining an appropriate course of action.
CSA Staff Notice 11-338 is available for download from the websites of the participating jurisdictions.
For more information, please call Barbara Hendrickson at BAX Securities Law (416) 601 -1004.
This publication is not intended to constitute legal advice. No one should act on it or refrain from acting on it without consulting with a lawyer. BAX does not warrant or guarantee the accuracy or currency or completeness of the publication. No part of this publication may be reproduced without the prior written permission of BAX Securities Law.