CSA flags cybersecurity gaps at registered firms, issues new guidance
CSA flags cybersecurity gaps at registered firms, issues new guidance
Publish Date: 2026-07-15 15:08:00
Source Domain: www.wealthprofessional.ca
On written policies, 8 percent of firms had none at all, and 55 percent had policies that could be improved. Training was a weaker spot. Twenty-one percent of firms provided no cybersecurity training to employees. Among those that did train staff, another 21 percent could have made the training more comprehensive, and 16 percent kept little or no record that it happened.
Risk assessments drew similar comments. Staff said 45 percent of firms ran assessments that could have been more rigorous, and 12 percent had no documentation of an assessment during the review period. Oversight of outside vendors stood out. Every firm examined used third-party service providers with access to its systems or data, yet 41 percent could tighten their oversight and 62 percent kept little or no documentation of it.
Incident response planning showed the same pattern. Fifteen percent of firms had no written plan at all. Among those that had one, 53 percent could have made it stronger and 63 percent should have tested it more regularly. Separately, 62 percent of firms told staff they carry cybersecurity insurance, which the regulators described as helpful though not required.
The notice leans on scalability, telling smaller firms they need not match the frameworks of large institutions so long as real risks are addressed. It updates guidance the CSA first set out in 2017 and points firms back to that earlier notice.
Stan Magidson, the CSA chair who also leads the Alberta Securities Commission, said strong cybersecurity practices “are not optional in today’s threat environment.” Staff have already given compliance feedback to the firms they reviewed and expect every registrant to check its own practices for gaps.