The Canadian Securities Administrators published a staff notice following a focused compliance sweep of 73 registered firms’ cybersecurity practices, setting out observed practices, identified gaps and updated guidance for strengthening firms’ cybersecurity frameworks. The notice makes clear that staff expect firms to maintain robust cybersecurity practices that are appropriate to their business, size and operations, and to use the guidance to assess and strengthen their current arrangements. The review examined cybersecurity policies and procedures, employee training, risk assessments and controls, oversight of third-party service providers and incident response planning. The Canadian Securities Administrators found that many firms, particularly larger firms, had robust policies and procedures, but also identified gaps where practices could be strengthened. Compliance feedback was provided to relevant firms. The guidance is framed as practical and scalable for firms of all sizes, including small and medium-sized registrants, and updates earlier Canadian Securities Administrators cybersecurity guidance issued in 2017. Registered firms are encouraged to review the notice, identify any weaknesses in their cybersecurity practices and take steps to address them.
Canadian Securities Administrators2026-07-15
Canadian Securities Administrators publish cybersecurity guidance after review of 73 registered firms, identify gaps in controls and incident planning
The Canadian Securities Administrators issued updated cybersecurity guidance after a compliance review of 73 registered firms. The review found that many firms had solid frameworks, especially larger firms, but also highlighted gaps in areas including controls, third-party oversight and incident response. Firms are expected to assess the guidance against their own operations and address weaknesses.