Canada’s securities regulators have updated their cybersecurity guidance after identifying significant gaps in the practices of many registered firms. The Canadian Securities Administrators (CSA), a collective of provincial and territorial regulators, announced the revised guidance on Wednesday following a review of cybersecurity measures at 73 firms supervised by the organization.
The firms examined included investment fund managers, portfolio managers, and exempt market dealers. The review assessed written cybersecurity policies, employee training programs, risk controls, incident response plans, and oversight of third-party service providers.
While larger firms generally demonstrated robust cybersecurity protocols, the CSA found widespread deficiencies across the sector. More than half of the firms—55 percent—had written policies and procedures that required improvement, and 8 percent lacked documented policies altogether. According to the CSA, firms should update their cybersecurity policies at least annually to keep pace with the evolving threat landscape.
The review also revealed that 21 percent of firms did not provide cybersecurity training to employees. Additionally, 62 percent had inadequate documentation concerning their supervision of third-party service providers whose systems they depend on.
Incident response preparedness was another concern. About 15 percent of firms had no written response plan in place, while over half of those with plans could improve their effectiveness. Furthermore, 63 percent of firms with incident response plans had not tested them regularly, diminishing their readiness to address potential breaches.
The CSA emphasized the escalating cybersecurity risks driven by advancements in artificial intelligence and the increasing use of digital platforms, especially within financial services. AI-powered cyberattacks capable of exploiting software vulnerabilities pose a growing threat to the stability of financial systems worldwide.
“The CSA wants to be clear with registrants that strong cybersecurity practices are not optional in today’s threat environment,” said Stan Magidson, chair of the CSA and chief executive officer of the Alberta Securities Commission. “Our guidance is intended to help firms establish and maintain cybersecurity practices that are appropriate to their size and operations, and are responsive to an evolving threat landscape.”
This updated guidance builds on the CSA’s original cybersecurity recommendations issued in 2017. The regulators noted that the sector’s increasing reliance on digital tools, hybrid work arrangements, and online client platforms has magnified exposure to cyber risks.
“We expect firms to review this guidance, assess their own cybersecurity practices, identify any gaps and take proactive steps to address them,” Magidson added. The CSA’s announcement underscores the regulatory focus on strengthening cybersecurity resilience within Canada’s securities industry amid a persistently complex and shifting cyber threat environment.
