Protection of data and personal information

In the securities and derivatives sectors, a number of regulations and notices cover risks related to information technology and cybersecurity, including the protection of personal data.

Cybersecurity

As stated in CSA Staff Notice 11-332 – Cyber Security (pdf - 71 KB)This link will open in a new windowUpdated on September 26, 2016"CSA, Staff, Notice, 11-332, Cyber security", the AMF expects registrants to continue to remain vigilant in developing, implementing and updating their approach to cyber security hygiene and management. The AMF has published several issues of Info-conformité on the importance of implementing measures to mitigate the risks associated with information security.Info-Conformité volume 4, numéro 4 This link will open in a new window (in French only); Info-Conformité volume 6, numéro 4 This link will open in a new window (in French only)

Although the general approach is similar in both sectors, the regulations and related notices differ according to the type of registrant.

Registered firms – Dealer, adviser and investment fund manager

Under section 11.1 of Regulation 31-103 respecting Registration Requirements, Exemptions and Ongoing Registrant Obligations (pdf - 3 MB)This link will open in a new windowUpdated on January 8, 2020Regulation 31-103 respecting Registration Requirements, Exemptions and Ongoing Registrant Obligations in force since December 31, 2019., a registered firm must establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation, and to manage the risks associated with its business in accordance with prudent business practices.

Registered firms must implement adequate controls to protect client assets and mitigate risks, in particular risks of cyber threats. CSA Staff Notice 33-321, Cyber Security and Social Media (pdf - 460 KB)This link will open in a new windowUpdated on October 19, 2017 is intended to provide more specific guidance to firms by suggesting policies and procedures in the areas of cyber security and social media practices.

The Notice states that all registered firms should adopt cyber security and social media practices that include preventative practices, training to all staff and a response plan for when a cyber security incident occurs.

In addition, member firms of the Canadian Investment Regulatory Organization (CIRO) This link will open in a new window should review and follow guidance issued by that organization.

Reporting issuers

CSA Multilateral Staff Notice 51-347 – Disclosure of cyber security risks and incidents (pdf - 66 KB)This link will open in a new windowUpdated on January 19, 2017cyber security risks and incidents includes guidance on risk factor disclosure and incident reporting.

As issuers are increasingly dependent on information technology, and as cyber attacks are becoming more frequent and sophisticated, the AMF expects issuers to consider their exposure to cyber security risks when preparing their risk factor disclosure.

Relationships with third parties and outsourcing

Some registered firms outsource IT risk-related activities, including offsite information storage and network management. The registered firms retain responsibility for protecting the information and data. Registrants must ensure that the entities to which they have outsourced activities have the required information and data protection measures in place. In this regard, the AMF recommends that registrants enter into a confidentiality and privacy protection agreement with the third party.