On October 19, 2017, the Canadian Securities Administrators (“CSA”) published CSA Staff Notice 33-321 Cyber Security and Social Media, (“Notice”) which summarizes survey results of registered firms’ cyber security and social media practices, in addition to providing guidance to firms in these areas.
According to the Notice, over the last few years, both cyber threats and issues surrounding social media have posed growing risks for registered firms. Between October and November, 2016, the CSA conducted a survey designed to gather information from 1,000 firms registered as investment fund managers, portfolio managers, and exempt market dealers to form the basis for providing guidance about cyber security and social media practices.
CSA staff report that 51% of firms surveyed experienced a cyber security incident in 2016. Of the firms surveyed, 43% reported phishing incidents, 18% reported incidents involving malware, and 15% of firms surveyed reported fraudulent email attempts to transfer funds or securities. In addition, the survey also found that most firms have policies and procedures on social media practices. While 59% of firms surveyed have guidelines on the appropriate and inappropriate use of social media, only 36% reported they had policies and procedures in place specifically regarding the training of employees in social media use and 21% had specific recordkeeping policies for social media communications.
In terms of guidance, CSA staff recommend that firms have policies and procedures in place that not only address the following areas but also ensure that employees are adequately trained in them:
• use of electronic communications, including the types of information that may be collected or sent through email, use of secured or unsecured communication systems and the verification of client instructions sent electronically;
• use of firm-issued electronic devices, including the use of such devices to externally access the firm’s network and data;
• the loss or disposal of an electronic device, including electronic storage devices;
• use of public electronic devices or public internet connections to remotely access the firm’s network and data, including to access client communications or client information;
• detecting internal or external unauthorized activity on the firm’s network or electronic devices (e.g., hacking attempts, phishing or suspicious emails, malware);
• ensuring software, including anti-virus programs, is updated in a timely manner;
• overseeing third-party vendors or service providers with access to the firm’s network or data (e.g., vetting, confidentiality); and,
• reporting any cyber security incidents to the board of directors (or equivalent).
On the subject of social media, CSA staff also issued the following guidance, advising that firms should review, supervise, retain and have the ability to retrieve social media content. Policies and procedures on social media practices should include:
• guidelines on the appropriate use of social media, including the use of social media for business purposes;
• guidelines on what content is permitted when using social media;
• procedures for ensuring that social media content is current;
• record keeping requirements for social media content; and,
• reviews and approvals of social media content, including evidence of such reviews and approvals.
CSA staff recommend that these policies and procedures should be designed to safeguard the confidentiality, integrity, and availability of the firm’s data, including the personal information of clients. To stay up-to-date with changing cyber threats, firms should review and update these policies and procedures frequently.
CSA Staff Notice 33-321 Cyber Security and Social Media, is available for download from the websites of participating member jurisdictions.
For more information, please call Barbara Hendrickson at BAX Securities Law (416) 601 -1004.
This publication is not intended to constitute legal advice. No one should act on it or refrain from acting on it without consulting with a lawyer. BAX does not warrant or guarantee the accuracy or currency or completeness of the publication. No part of this publication may be reproduced without the prior written permission of BAX Securities Law.