The Canadian Securities Administrators (CSA) has published Staff Notice 33-322, Review of Registered Firms' Cybersecurity Practices and Additional Guidance, following a compliance examination of 73 registered firms' cybersecurity practices.
The examinations covered cybersecurity policies and procedures, employee training, risk assessments and controls, oversight of third-party service providers, and incident response planning. The CSA found that a number of firms, particularly larger ones, had robust cybersecurity frameworks in place, but also identified gaps where firms could strengthen their practices.
Compliance feedback has been provided to the relevant firms to address the findings, and the notice sets out scalable guidance intended to apply to firms of all sizes, recognizing that cybersecurity risks and resources vary across registrants.
Stan Magidson, CSA Chair and Chair and CEO of the Alberta Securities Commission, said the CSA wants to be clear with registrants that strong cybersecurity practices are not optional in today's threat environment.
"Our guidance is intended to help firms establish and maintain cybersecurity practices that are appropriate to their size and operations, and are responsive to an evolving threat landscape," he said.
Magidson added that cybersecurity risks continue to grow on many fronts as firms rely more heavily on digital tools, hybrid work arrangements, and online platforms to serve clients, and that while the examinations found many firms have frameworks in place, they also identified areas where some firms could strengthen their practices.
Staff expect firms to have cybersecurity practices relevant to their business and are encouraging registrants to review the notice and assess whether their own practices can be strengthened.
The CSA's findings land alongside a wider push across Canadian financial regulators to tighten cyber expectations, one that increasingly touches the insurance sector directly.
The Office of the Superintendent of Financial Institutions, which regulates federally regulated insurers alongside banks, has its own Guideline B-13 on technology and cyber risk management, built around 17 principles covering governance, risk identification, and incident response, with non-compliance able to trigger administrative monetary penalties of between $10,000 and $500,000 (Global Relay, April 2026).
In its 2026-2027 Annual Risk Outlook, OSFI said it would continue rolling out intelligence-led cyber resilience testing at large insurers and would scrutinize cyber incident response and preparedness across insurers of every size.
The scrutiny also has a direct product implication for insurers. OSFI's outlook specifically flagged thematic monitoring of cyber insurance underwriting and the emerging coverage of AI within underwriting for select P&C companies, reflecting how closely regulators are watching both the cybersecurity posture of financial firms and the insurance products designed to cover cyber losses across the sector.
For insurers and brokers, the CSA's notice adds a concrete new data point on the standard of practice regulators expect from investment firms, one of the client segments the Canadian cyber insurance market is increasingly focused on.
Canadian cyber liability premiums grew from $18 million in 2015 to roughly $550 million in 2023, though the Insurance Bureau of Canada has said that figure likely understates the market's true size, and the market posted a punishing combined ratio averaging 153% between 2019 and 2023 as ransomware and data breach claims outpaced premium growth. Underwriting discipline has since improved and the market has stabilized, though IBC continues to flag AI-enabled attacks as an escalating threat and notes that only around 22% of Canadian SMEs carry any form of cyber insurance, leaving a significant protection gap.
Continuous monitoring and demonstrated security controls, rather than simply carrying a policy, are increasingly central to how Canadian cyber insurers price risk and grant terms, with organizations able to show strong readiness and incident response planning getting better access and pricing than those that cannot. Against that backdrop, registered firms working through the gaps the CSA has identified may find themselves facing closer questions from cyber insurers at renewal, not just their securities regulator, about the maturity of their cybersecurity programs.
The CSA is the council of securities regulators from Canada's provinces and territories and coordinates and harmonizes regulation for the Canadian capital markets.