In a climate where cyber risk is a rapidly “growing and significant threat to the integrity, efficiency and soundness of financial markets worldwide”, reporting issuers and marketplace participants who fail to develop specialized systems for dealing with cyber security risk do so at their peril. Within that climate, in its recently released report Cyber Security in Securities Markets – An International Perspective[1], the Board of the International Organization of Securities Commissions (“IOSCO”) reviews the regulatory approaches to cyber security adopted by its various members and makes the case for a coordinated global approach to cyber security issues in securities markets. In doing so, the IOSCO Report also provides helpful guidance to reporting issuers and marketplace participants on the standards to which they may be held when subject to a cyber security incident. The Report’s key findings are summarized below.
Securities Regulators
The IOSCO Report reviews the various approaches, ranging in both scope and depth, that governments and regulators are taking in order to mitigate cyber risk in securities markets. While many countries govern cyber security through securities regulations and technical requirements, the Report concludes there is no “one size fits all” approach. That is, in places where regulatory requirements exist they tend to vary across jurisdictions and financial authorities. On the other hand, some jurisdictions have chosen to adopt non-regulatory requirements through self-regulatory governance rules and risk control systems procedures.
The IOSCO Report also observes that regulators have adopted a variety of tools to enhance the cyber security frameworks of marketplace participants. For example, some regulators have sought to raise awareness of cyber security issues through “examination sweeps” and by issuing cyber security guidelines or frameworks. Other regulators have performed coordinated drills to simulate cyber breaches and have involved self-regulatory organizations, trading venues, financial market infrastructures, and various marketplace participants in these exercises.
Reporting Issuers
The IOSCO Report underscores the need for reporting issuers to comply with existing disclosure obligations in order to ensure that investors receive material information relating to cyber risk. In particular, the Report provides examples of key considerations for issuers when they have experienced a material cyber risk. The Report also encourages its members to keep these key considerations in mind when determining issuer disclosure obligations in their respective jurisdictions. Key considerations reviewed in the Report include the source and nature of cyber risk faced by the reporting issuer; how such risks may materialize; the possible outcomes of a cyber incident (including the effects on disclosure requirements); and the adequacy of preventative measures for mitigating cyber risk.
Marketplace Participants
The IOSCO Report confirms that corporate governance tailored to specifically address cyber risk is a fundamental component of any management approach. To that end, it suggests that cyber security should be an integral part of any marketplace participant’s risk management program, and that in particular, marketplace participants’ cyber risk management plans should include the following elements:
- Identification of critical assets and information systems, which may include ongoing inventory of all hardware and software, and assessments of third party and technology providers’ security systems.
- Protection measures in respect of critical assets and information systems, which may be organizational/administrative (i.e. establishing security operations centres), technical (i.e. employing anti-virus and intrusion prevention systems), and educational (employee training and awareness programs).
- Detection of abnormal activity through ongoing internal and external monitoring. For instance, many regulated entities have developed cyber threat teams and engage in file servers integrity and database activity monitoring to detect unauthorized behaviour.
- Response systems in place to respond to cyber security threats. This includes communication plans to inform relevant stakeholders of cyber breaches and methods for analyzing cyber breaches.
- Recovery plans should also be in place to restore systems that were compromised during a cyber breach.
The IOSCO Report further emphasizes the importance of the sharing of information on cyber risk between marketplace participants and regulators in order to allow “organizations to tap into a broader community’s intelligence, capabilities, knowledge and experience”.
Similar to the IOSCO Report, the Canadian Securities Administrators (“CSA”) have also indicated that “[s]trong and tailored cyber security measures” should play a key role in marketplace participants’ efforts to ensure reliability of operations and protection of confidential information.[2] The CSA suggests that all issuers, registrants, and regulated entities educate staff on the importance of their role in ensuring the security of firm and client information and computer security; follow guidance and best practices from industry associations and recognized information security organizations; and conduct regular third-party vulnerability and security tests.[3] As discussed in a previous blog post, the CSA also suggests that reporting issuers consider whether cyber risk, incidents, and controls need to be disclosed in a prospectus or continuous disclosure filing.
In a harbinger of the regulators’ movement toward creating internationally coordinated cyber security standards for regulated entities, the IOSCO Report and statements from the CSA send a clear message that cyber security issues must be specifically and appropriately addressed by marketplace participants and provides them with suggested protocol for doing so.
[1] The IOSCO Report was released April 6, 2016.
[2] CSA Staff Notice 11-326, “Cyber Security”, http://www.osc.gov.on.ca/documents/en/Securities-Category1/csa_20130926_11-326_cyber-security.pdf as discussed in Simon Hodgett, Sam Ip, and Janet Salter’s January 2014 article in Internet in E-Commerce Law in Canada titled “Cyber Security Considerations from Public Companies”, https://www.osler.com/uploadedFiles/Our_People/Profiles/H/Internet-ECommerceLaw%20Jan2014%20vol%2014%20no9.pdf.
[3] Ibid.