The Canadian Securities Administrators published a staff notice following a focused compliance sweep of 73 registered firms’ cybersecurity practices, setting out observed practices, identified gaps and updated guidance for strengthening firms’ cybersecurity frameworks. The notice makes clear that staff expect firms to maintain robust cybersecurity practices that are appropriate to their business, size and operations, and to use the guidance to assess and strengthen their current arrangements. The review examined cybersecurity policies and procedures, employee training, risk assessments and controls, oversight of third-party service providers and incident response planning. The Canadian Securities Administrators found that many firms, particularly larger firms, had robust policies and procedures, but also identified gaps where practices could be strengthened. Compliance feedback was provided to relevant firms. The guidance is framed as practical and scalable for firms of all sizes, including small and medium-sized registrants, and updates earlier Canadian Securities Administrators cybersecurity guidance issued in 2017. Registered firms are encouraged to review the notice, identify any weaknesses in their cybersecurity practices and take steps to address them.