Cyber defences found to be seriously lacking

The Canadian Securities Administrators (CSA) warned that many investment firms in Canada are falling short on basic cybersecurity safeguards after a compliance sweep of 73 registered entities revealed a range of gaps.
Review finds mixed results across the sector
The staff notice released Wednesday outlined the findings of the review, which covered fund managers, portfolio managers and exempt‑market dealers. Large firms generally showed solid defenses, but the report highlighted significant weaknesses in risk assessments, policies, staff training and incident response plans.
Eight percent of the firms examined had no written cybersecurity policies at all, and among those that did, the agency identified deficiencies in 55 percent. Nearly half of the respondents – 45 percent – were flagged for lacking full risk assessments.
Oversight of third‑party providers also emerged as a concern, with 41 percent of firms needing to tighten controls. One‑fifth of the companies surveyed reported that they provide no cybersecurity training to staff, and another 21 percent said their existing training programs require improvement.
Incident response planning was another area of shortfall: fifteen percent of firms had no written plan, while 53 percent needed to strengthen the ones they had in place.
Regulators urge firms to act
“Staff expect firms to have robust cybersecurity practices relevant to the firm’s business,” the notice stated, emphasizing that firms must keep pace with evolving threats and meet their legal obligations. The guidance stresses that strong cybersecurity is not optional in the current threat environment.
Stan Magidson, chair of the CSA and chair and CEO of the Alberta Securities Commission, said the regulator wants registrants to “establish and maintain cybersecurity practices that are appropriate to their size and operations, and are responsive to an evolving threat setting.” He added that the growing reliance on digital tools, hybrid work arrangements and online platforms amplifies risk.
Related: Tennis Bracelets: The Latest Trend in Jewelry
In light of the findings, the agency expects firms to review the new guidance, assess internal controls, identify gaps and take proactive steps to address them. The notice does not prescribe specific technologies but calls for a risk‑based approach that aligns with each firm’s operational profile.
While the report focuses on compliance, the broader context suggests that the sector’s increasing use of cloud‑based services and mobile devices has expanded the attack surface. Remote working trends, accelerated by the pandemic, have introduced new vulnerabilities that many firms have yet to fully mitigate.
From a practical standpoint, firms that have already invested in regular staff training and third‑party vendor assessments tend to be better positioned to respond to incidents quickly. Those that lag may find themselves scrambling when a breach occurs, potentially exposing client data and incurring regulatory penalties.
What firms can do now
Among the immediate actions recommended are updating or creating written cybersecurity policies, conducting thorough risk assessments, and ensuring that incident response plans are documented and tested. Strengthening oversight of vendors, especially those handling sensitive client information, is also highlighted as a priority.
Training programs should be refreshed to cover current threat vectors, including phishing, ransomware and supply‑chain attacks. Firms are encouraged to simulate breach scenarios to gauge readiness and to adjust controls based on lessons learned.
The notice also points to the need for continuous monitoring. As threats evolve, firms must revisit their defenses regularly rather than treating cybersecurity as a one‑time project.
Overall, the regulator’s message is clear: complacency is no longer an option. By aligning practices with the CSA’s guidance, investment firms can better protect client data and maintain confidence in Canada’s financial markets.
