CSA Proposes Marketplace Rule Changes Affecting Systems Requirements and Reporting
The Canadian Securities Administrators (CSA) are proposing amendments to National Instrument NI 21-101 – Marketplace Operation (NI 21-101) that would affect the reporting obligations and systems requirements applicable to marketplaces such as alternative trading systems (ATSs) and recognized exchanges. The amendments address cyber incidents, among other matters, and are subject to a 90-day public comment period that ends on July 17, 2019.
Key proposed amendments include the following:
Cyber resilience controls. Under Part 12 of NI 21-101, marketplaces are required to develop and maintain an adequate system of internal control (the Internal Controls) over certain key systems (Part 12 Systems) and adequate information technology general controls (IT General Controls) for the Part 12 Systems, including controls relating to information systems operations, information security, change management, problem management, network support and system software support.
These existing requirements should already cover “cyber resilience”, but the CSA now proposes to single out “cyber resilience” as one of the IT General Controls that a marketplace must develop and maintain for its Part 12 Systems. This proposal reflects the increasing preoccupation of regulators with cyber resilience of marketplaces.
Expanded obligation to report a material “security incident” to regulators. Marketplaces are currently required to notify regulators of certain material failures of their Part 12 Systems, including a material security “breach”. The amendments would broaden this reporting obligation so that any material security “incident” affecting Part 12 Systems would be reportable even where a “breach” has not necessarily occurred.
The CSA describes a “security incident” in broad terms: any event that actually or potentially jeopardizes the confidentiality, integrity or availability of any of the Part 12 Systems or any system that shares network resources with these systems or the information the system processes, stores or transmits, or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. Any security incident that requires non-routine measures or resources by the marketplace would be considered material by the CSA and thus reportable. While the CSA has expanded the obligation to report material security incidents to regulators, marketplaces remain responsible for rectifying issues identified. Marketplaces may also refer to CSA Staff Notice 21-326 - Guidance for Reporting Material Systems Incidents for a recent summary of key regulatory requirements and guidance regarding the reporting of material systems incidents by marketplaces.
Recordkeeping obligations with respect to failures of Part 12 Systems are being expanded so that a marketplace would be required to keep records of any systems failures, malfunctions, delays or security incidents affecting its Part 12 Systems, even if they are not material. When a marketplace determines that an event is not material, the marketplace will be required to document the reasons for its materiality conclusion.
Mandatory annual security vulnerability testing. The CSA is proposing to require a marketplace to engage, at least annually, one or more “qualified parties” to perform assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the marketplace’s compliance with the requirement to develop and maintain Internal Controls and IT General Controls for its Part 12 Systems. This new mandatory requirement replaces guidance on vulnerability assessments previously set out in the Companion Policy to NI 21-101.
The annual vulnerability assessment and testing may be conducted by external auditors or third party information system consultants, or by employees of the marketplace or an affiliated entity of the marketplace. The assessment may not be conducted by persons responsible for the development or operation of the systems or capabilities being tested.
Clarifying the Independent Systems Review Requirement. A marketplace is currently required to annually engage a “qualified party” to conduct an independent systems review (ISR) and prepare an audit report to ensure compliance by the marketplace with the requirement to develop and maintain Internal Controls and IT General Controls for its Part 12 Systems.
The CSA is amending NI 21-101 to clarify that the ISR must be conducted by “qualified external auditors”, meaning by a person or company, or a group of persons or companies, with relevant experience in both information technology and in the evaluation of related internal systems or controls in a complex information technology environment.
The ISR must be conducted and reported on at least once in each 12-month period by a qualified external auditor in accordance with established audit standards and best industry practices, which the CSA considers to include the “Trust Services Criteria” developed by the American Institute of CPAs and CPA Canada.
Before engaging a qualified external auditor, the CSA expects marketplaces to discuss with the CSA their choice for qualified external auditor and the scope of the systems review mandate.
The CSA expects that the report prepared by the external auditor will include, to the extent applicable, an audit opinion that
- the description included in the report fairly presents the systems and controls that were designed and implemented throughout the reporting period,
- the controls stated in the description were suitably designed, and
- the controls operated effectively throughout the reporting period.
Regulators have historically granted exemptions from the ISR requirement in limited circumstances, for example where a self-assessment conducted by the marketplace was sufficiently robust and the cost of an ISR conducted by a qualified third party could not be justified either because of its disproportionate impact on the marketplace’s net income or revenue, the small trading volume of the marketplace in question, or because of planned systems changes that would discontinue the use of a system technically subject to an ISR.
Housekeeping changes to be reported less frequently. The current requirement that a marketplace report on a monthly basis non-significant changes to the information in its Form 21-101F1 (in the case of recognized exchanges) or Form 21-101F2 (in the case of ATSs) is being relaxed to permit reporting on a quarterly basis.
Marketplaces must wait longer to implement fee changes. Currently, when a marketplace proposes to make a change to the fee information set out in Form 21-101F1 or Form 21-101F2, it must file an amendment with the CSA at least 7 business days prior to implementing the fee change. Non-fee related significant changes must be filed at least 45 business days prior to implementation. This accelerated review period for fee changes is an acknowledgment by the CSA that in the current competitive marketplace environment, frequent changes to fees or fee models may need to be implemented by marketplaces within tight time frames.
Citing the need for a “more reasonable opportunity” to review fee change filings, the CSA is now proposing to lengthen the regulatory review period for fee changes so that the filing would be due at least 15 business days prior to the implementation of the fee change, up from the current 7 business days.
Interim financial reporting requirement for recognized exchanges added to NI 21-101. The CSA is proposing to amend NI 21-101 to require recognized exchanges to file interim financial statements within 45 days of the end of the interim period. Currently, financial reporting requirements for exchanges are included in the exchanges’ recognition orders.
We invite you to contact us should you have any questions regarding how the CSA amendments might affect your business.
marketplaces ATS recognized exchange NI 21-101 cyber resilience marketplace security incident information technology general controls marketplace vulnerability testing independent systems review ISR