CyberLex Insights on cybersecurity, privacy and data protection law

Tag Archives: regulatory guidance

SEC issues Guidance on Public Company Cybersecurity Risk Disclosures

Posted in Cybersecurity, Financial, Regulatory Compliance

On Wednesday, February 21, 2018, the United States Securities and Exchange Commission (SEC) published cybersecurity risk disclosure guidance (the SEC Guidance) for public companies to assist them in preparing disclosure related to these types of risk and incidents. The SEC Guidance does not propose new rules or rule amendments that would impose new requirements, but… → Read More

IIROC Provides Additional Guidance on Proactive Management of Cyber-related Risks

Posted in Cybersecurity, Financial, Regulatory Compliance

On January 18, 2018, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report for 2017/2018, identifying cybersecurity as a “high priority” issue that IIROC dealer members should address to improve investor protection and foster market integrity. The report also provides specific guidance on initiatives that dealers may undertake in 2018-19 to… → Read More

UK Financial Conduct Authority Proposes Global Fintech Regulatory Sandbox

Posted in FinTech, Regulatory Compliance

On February 14, 2018, the United Kingdom Financial Conduct Authority (FCA) published a proposal for a global regulatory sandbox.  The goal of a regulatory sandbox is to encourage innovation by allowing carefully-selected firms to test their concepts on a controlled subset of consumers without triggering full regulatory requirements at the outset.  This can be particularly… → Read More

Canadian Securities Administrators Issues Staff Notice providing Cybersecurity and Social Media Guidance

Posted in Cybersecurity

On October 19, 2017, the Canadian Securities Administrators (“CSA”), representing provincial and territorial securities regulators, issued CSA Staff Notice 33-321 – Cyber Security and Social Media (the “Notice”). The Notice serves to publish the results of the CSA’s survey of cybersecurity and social media practices of registered firms dealing in securities, including those registered as… → Read More

IIROC Issues Cybersecurity Report Cards to Dealer Firms

Posted in Cybersecurity, Regulatory Compliance

IIROC is providing all dealer member firms it regulates (Firms) with a confidential cybersecurity “report card” that will include: an individual assessment of the Firm’s cybersecurity preparedness program a comparison of the Firm’s cybersecurity practices against the industry and other Firms of similar size and business model a list of cybersecurity areas to which the… → Read More

CSA Issues New Guidance on Cybersecurity

Posted in Cybersecurity, Regulatory Compliance

Cybersecurity is top of mind for corporate boards and securities regulators alike. On September 27, 2016, the Canadian Securities Administrators (“CSA“) issued CSA Staff Notice 11-332 – Cyber Security (the “2016 Notice”).  The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security (the “2013 Notice”) for reporting… → Read More

NY State Introduces Cybersecurity Regulations for Financial Services: Implications for Canadian Business

Posted in Cybersecurity, Financial, FinTech, Legislation, Regulatory Compliance

The New York State Department of Financial Services announced its  first state-level regulation for cybersecurity. The proposed regulation would apply to regulated banks, insurance companies, and other financial services institutions and has implications for Canadian organizations doing business with these entities. On September 13, 2016, the New York State Department of Financial Services (“DFS“) announced a… → Read More

Canada’s First Regulatory Sandbox for Fintech? OSC Announces Plans for “OSC LaunchPad” Innovation Hub

Posted in Financial, FinTech, Regulatory Compliance

OSC chair Maureen Jensen has announced that the OSC plans to launch an innovation hub for fintech entities. “OSC Launchpad” will be the first fintech hub for a Canadian securities regulator. Securities regulation in Canada impacts a number of fintech business models (including companies offering online advising, peer-to-peer lending, crowdfunding platforms and angel investor organizations)…. → Read More

Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations

Posted in Data Breach, Legislation, Privacy, Regulatory Compliance

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“). On June 18, 2015, the Digital Privacy Act (also known as Bill S-4)… → Read More

Mutual Fund Dealers Association of Canada releases Cyber Risk Management Guidance

Posted in Cybersecurity, Financial, Regulatory Compliance

Earlier last month, the Mutual Fund Dealers Association of Canada (MFDA) released a bulletin providing guidance on cybersecurity and cyber risk management for mutual fund distributors. The goal of the bulletin is to increase awareness for cyber vulnerabilities and to provide guidance for developing and implementing internal cybersecurity policies. The bulletin emphasizes the importance of… → Read More

IOSCO releases “Cyber Security in Securities Market” Report

Posted in Cybersecurity, Regulatory Compliance

The Board of the International Organization of Securities Commissions (IOSCO) released last month the report on its cyber risk coordination efforts.  The goal of the report is to provide an overview of the regulatory issues and challenges faced by various segments of the securities markets, in particular reporting issuers, market intermediaries and asset managers, and… → Read More

New PIPEDA Data Breach Regulations Proposed

Posted in Data Breach, Privacy

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. Background The Digital Privacy Act (also known as Bill S-4), which… → Read More

Multi-use Personal ID Cards: Does Convenience Trump Privacy?

Posted in Big Data, Legislation, Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017.[1] While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns… → Read More

The New York Department of Financial Services Proposes Cybersecurity Regulations

Posted in Cybersecurity, Financial

  The New York Department of Financial Services (“DFS”) had announced in March of 2015 that as part of its plan to address a possible Cyber 9/11, it would revamp examinations of banks and insurance companies to incorporate new, targeted assessments of cybersecurity preparedness, and would consider steps to address the cybersecurity of third-party vendors…. → Read More

The Internet of Things: Guidance, Regulation and the Canadian Approach

Posted in Cybersecurity, Internet of Things, Privacy

The Internet of Things (IoT) has been identified as a disruptive technology, bringing with it both the promise of seamless interconnectivity of devices and, the flip side of that interconnectivity, single-point vulnerability of multiple systems. While businesses rush to embrace the technology, the regulators have begun considering the issues raised by it. What is the Internet… → Read More

Life After Schrems: Think Locally, Act Globally?

Posted in European Union, Privacy

Two weeks after the historic decision of the Court of Justice of the European Union (CJEU) in the Schrems case, striking down the European Commission (EC) decision 2000/520/EC (known as the “Safe Harbour” decision), many people are still left scratching their heads, wondering what it all means.  Global businesses face particular difficulties, but so do… → Read More

SEC Issues Top Cybersecurity Priorities for Broker-Dealers and Investment Advisers

Posted in Standards

  On September 15, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert to announce the priorities for its second round of cybersecurity examinations.  The examinations are part of the Cybersecurity Initiative announced by the OCIE on its April 15, 2014 risk alert. This second round of examination is focused on… → Read More

Businesses Geo-Fence Properties Against Drones

Posted in UAVs

Fans who can’t get their hands on Blue Jays playoff tickets can forget trying to capture the game from a bird’s eye view with their drone. Following a series of international reports of drones crashing into the stands at sporting events, social media recently lit up with reports that Toronto’s Rogers Centre (Skydome) had implemented… → Read More

Domain Name Disputes: What You Need to Know – Part 2

Posted in Legislation

Part 1 of this post provided an overview of the Canadian Internet Registration Authority’s domain name dispute resolution process. Part 2 outlines a similar process available through the World Intellectual Property Organization’s (“WIPO”) Arbitration and Mediation Center. What is WIPO? WIPO is a United Nations agency that provides a global forum for intellectual property services,… → Read More

Domain Name Disputes: What You Need to Know – Part 1

Posted in Legislation

Individuals or businesses may find themselves in a dispute over a domain name, whether as a complainant or the registered owner of the domain name. Depending on the parties involved and where the domain name is registered, two potential avenues for domain name dispute resolution are through: (1) the Canadian Internet Registration Authority (“CIRA”), and… → Read More

U.S. Federal Financial Institutions Examination Council (FFIEC) Releases Cybersecurity Assessment Tool

Posted in Cybersecurity, Financial, Regulatory Compliance

On June 30, 2015, the FFIEC released its cybersecurity assessment tool designed to assist U.S. financial institutions and regulatory examiners identify inherent cybersecurity risks and determine preparedness level of financial institutions.  The cybersecurity assessment tool and other resources can be found at Background The FFIEC, which is composed of the Board of Governors of… → Read More

“Not Necessarily Regulation, but Regulation as Necessary”: Canadian Senate Committee Weighs in on Regulation of Digital Currency

Posted in Regulatory Compliance, Virtual Currency

In March of 2014, the Minister of Finance tasked the Standing Senate Committee on Banking, Trade and Commerce to examine the use of digital currencies. The Committee pursued an extensive fact-finding mission in Canada and in the United States, speaking with, amongst others, representatives from regulatory bodies, financial institutions, digital currency interest groups, law enforcement,… → Read More

Droning On: Canada’s New Drone Regulations

Posted in Privacy, UAVs

Transport Canada has unveiled a new set of proposed drone regulations, which would apply to small(ish) drones – those weighing 25 kg or less – that are flown within sight of the operator. Large drones continue to be governed by the Special Flight Operations Certificate (“SFOC”) regime described in a previous post. Once these new regulations… → Read More

NAIC Issues Cybersecurity Guidance for U.S. Insurance Industry

Posted in Cybersecurity

On April 16, 2015, the Cybersecurity Task Force of the U.S. National Association of Insurance Commissioners (“NAIC”)[1] adopted 12 “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the “Principles”).  The Principles are aimed at both insurers and the bodies that regulate the industry.  Background The NAIC’s Cybersecurity Task Force was formed in November 2014, and is… → Read More