CSA Staff Notice 21-326: Guidance for Reporting Material Systems Incidents

1 CSA Staff Notice 21-326 Guidance for Reporting Material Systems Incidents June 10, 2021 Introduction Staff of the Canadian Securities Administrators (CSA Staff or we) have been examining the requirements in Regulation 21-101 respecting Marketplace Operation (Regulation 21-101)1 and in Regulation 23-101 respecting Trading Rules(Regulation 23-101) (together, Marketplace Rules) in respect of the reporting of material systems incidents2 by recognized exchanges (Exchanges) and alternative trading systems (ATSs) (together, Marketplaces) carrying on business in the jurisdictions of the Canadian Securities Administrators (CSA). We have also been reviewing the practices set out around those requirements in various recognition orders, rules and other sources of regulatory guidance. The purpose of our review was to update and, where appropriate, to align the regulatory requirements and processes for a marketplace’s initial notification, follow-up notification(s), notification of resumption of service and post-mortem report of a material systems incident to the CSA and to the public. This Notice contains the following annex: • Annex A – Marketplace Regulatory Incident Reporting Guidelines (including Schedule A – Reportable Incident Information) Substance and Purpose This Notice summarizes the key regulatory requirements with respect to the reporting of a material systems incident by marketplaces. Annex A – Marketplace Regulatory Incident Reporting Guidelines (Guidelines) sets out CSA Staff’s expectations with respect to incident reporting. The Notice also describes CSA Staff’s process for reviewing a marketplace’s notification of a material systems incident as well as our role in addressing a material systems incident. 1 This Notice was first published on March 15, 2019. CSA Staff has revised the Notice to reflect amendments made to certain requirements in Part 12 of Regulation 21-101 referred to in the Notice, which took effect on September 14, 2020, along with other non-material changes. CSA Staff has not made any substantive changes to the incident reporting guidelines in Annex A to the Notice since its original publication. 2 In this Notice, “material systems incident” refers to any systems failure, malfunction, delay or security incident that is material affecting a system, operated by or on behalf of the marketplace, that supports order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing, as required under section 12.1 of Regulation 21-101.

2 Current Requirements and Expectations Reporting of Material Systems Incidents Paragraph 12.1(c) of Regulation 21-101 requires, in part, a marketplace to promptly notify the regulator or, in Québec, the securities regulatory authority and, if applicable, its regulation services provider (RSP) of any systems failure, malfunction, delay or security incident that is material. With respect to what constitutes “material”, subsection 14.1(2.1) of Policy Statement to Regulation 21-101 respecting Marketplace Operation (Policy Statement 21-101) states that the CSA considers a failure, malfunction, delay or security incident to be “material” if the marketplace would, in the normal course of operations, escalate the matter to or inform its senior management ultimately accountable for technology. For the purpose of paragraph 12.1(c) of Regulation 21-101, the determination of the materiality of a systems failure, malfunction or delay is made by the marketplace. With respect to “promptly notify the regulator or, in Québec, the securities regulatory authority” under paragraph 12.1(c) of Regulation 21-101, our expectation is that a marketplace will notify the CSA of a material systems incident, orally or in writing, upon escalating the matter to its senior management.3 Further, under subsection 6.3(1) of Regulation 23-101, if a marketplace experiences a failure, malfunction or material delay of its systems, equipment or its ability to disseminate marketplace data, the marketplace must immediately notify: (a) all other marketplaces; (b) all regulation services providers; (c) its marketplace participants; and (d) any information processor or, if there is no information processor, any information vendor that disseminates its data under Part 7 of Regulation 21-101. Although a marketplace may broadcast general public announcements pursuant to subsection 6.3(1) of Regulation 23-101, generic public notification does not qualify as notification to the regulator or, in Québec, the securities regulatory authority under paragraph 12.1(c) of Regulation 21-101, even if CSA Staff subscribe to, and receive, a marketplace’s public announcements. To comply with the notification requirement under paragraph 12.1(c) of Regulation 21-101, designated personnel of the marketplace must contact CSA Staff directly, orally or in writing, upon escalating the matter to its senior management. In addition to initial notification, paragraph 12.1(c) of Regulation 21-101 also requires that for specified systems, a marketplace must “provide timely updates on the status of the failure, malfunction, delay or security incident, the resumption of service and the results of the marketplace’s internal review of the failure, malfunction, delay or security incident.” 3 Additional CSA guidance on the prompt notification requirement may be found at subsection 14.1(2.3) of Policy Statement 21-101.

3 As a result of the initiative to align requirements for all marketplaces, section 13 of the Guidelines clarifies CSA Staff’s expectations with respect to the information that should be included in a marketplace’s initial notification, follow-up notification(s), notification of resumption of service and post mortem report of a material systems incident. Overview of CSA Staff’s Role Notification of material systems incidents provides CSA Staff with information about any material event related to a marketplace’s production systems or networks. Steps taken in addressing a material systems incident include identifying CSA Staff that will be involved in responding, communicating with the CSA and, where appropriate, other regulators and developing recommendations for determining an appropriate course of action.4 The objective of the filing and review of a marketplace’s notification of a material systems incident is to foster fair and efficient capital markets and confidence in those markets. Consequently, we expect an appropriate degree of transparency and timely notification of a material systems incident to the CSA, RSPs and the public. Timely notification is important so that the CSA, investors and market participants may be better informed as to how a material systems incident impacts the operations of an affected marketplace and the market as a whole, and thus take appropriate steps in the event of loss of service. To facilitate the reporting of material systems incident by marketplaces, CSA Staff has developed the Guidelines at Annex A. The Guidelines are intended to summarize a marketplace’s reporting obligations under the appropriate regulatory requirements and to provide transparency in respect of CSA Staff’s expectations for the timing, method of delivery and content of a marketplace’s notification of a material systems incident. Questions Please refer your questions to any of the following: Serge Boisvert Senior Policy Advisor Oversight of Trading Activities Autorité des marchés financiers serge.boisvert@lautorite.qc.ca Herman Tan Senior Analyst IT, Market Structures Autorité des marchés financiers herman.tan@lautorite.qc.ca Christopher Byers Senior Legal Counsel, Market Regulation Ontario Securities Commission cbyers@osc.gov.on.ca Alina Bazavan Senior Analyst, Market Regulation Ontario Securities Commission abazavan@osc.gov.on.ca 4 Please refer to CSA Staff Notice 11-338 CSA Market Disruption Coordination Plan at https://lautorite.qc.ca/fileadmin/lautorite/reglementation/valeurs-mobilieres/0-avis-acvm￾staff/2018/2018oct18-11-338-avis-acvm-en.pdf.

4 Lenworth Haye Senior Oversight Analyst British Columbia Securities Commission lhaye@bcsc.bc.ca Jesse Ahlan Regulatory Analyst, Market Structure Alberta Securities Commission jesse.ahlan@asc.ca

5 ANNEX A Marketplace Regulatory Incident Reporting Guidelines Application

1. The Marketplace Regulatory Incident Reporting Guidelines (Guidelines) apply to recognized exchanges (Exchanges) and alternative trading systems (ATSs) (together, Marketplaces) carrying on business in the jurisdictions of the Canadian Securities Administrators (CSA) and are intended to facilitate incident reporting by Marketplaces to the CSA. Requirements
2. Incident reporting is part of a Marketplace’s obligations under Regulation 21-101 respecting Marketplace Operation (Regulation 21-101). Each Marketplace is required to notify the appropriate securities regulatory authority when it experiences a material systems incident. Additionally, each Marketplace is required to inform the Investment Industry Regulatory Organization of Canada (IIROC) when it experiences a material systems incident.
3. The CSA requires information concerning material systems incidents involving a Marketplace in order to address the incident (as appropriate), to respond to inquiries from capital market participants, and to identify trends, all of which help the CSA manage systemic risk in the Canadian capital markets, and to otherwise assist in discharging its regulatory obligations.
4. The Guidelines are intended to summarize a Marketplace’s reporting obligations under the regulatory requirements and to provide guidance to Marketplaces in respect of CSA Staff’s expectations of how Marketplaces should comply with those requirements. The Guidelines are not intended to modify, amend, conflict with or override the regulatory requirements in any way or to create any new or different obligations on the part of a Marketplace. Reportable Incidents
5. A Marketplace is required to report information about material events related to its production systems or networks. Specifically, paragraph 12.1(c) of Regulation 21-101 requires: “…for each system, operated by or on behalf of the marketplace, that supports order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing, a marketplace must promptly notify the regulator or, in Québec, the securities regulatory authority and, if applicable, its regulation services provider, of any systems failure, malfunction, delay or security incident that is material…”
6. With respect to security incidents, subsection 14.1(2.2) of Policy Statement to Regulation 21-101 respecting Marketplace Operation (Policy Statement 21-101) states that: “…a security incident is considered to be any event that actually or potentially jeopardizes the confidentiality, integrity or availability of any of the systems that support the functions listed in

6 section 12.1 or any system that shares network resources with one or more of these systems or the information the system processes, stores or transmits, or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. Any security incident that requires non-routine measures or resources by the marketplace would be considered material and thus reportable to the regulator or, in Québec, the securities regulatory authority.The onus would be on the marketplace to document the reasons for any security incident it did not consider material.” 7. With respect to what constitutes “material”, subsection 14.1(2.1) of Policy Statement 21-101 states that: “A failure, malfunction, delay or security incident is considered “material” if the marketplace would, in the normal course of operations, escalate the matter to or inform senior management ultimately accountable for technology.” 8. For the purpose of paragraph 12.1(c) of Regulation 21-101, the determination of the materiality of a systems failure, malfunction, delay or security incident is made by the Marketplace. 9. For purposes of these Guidelines, reportable incidents do not include a Marketplace’s regulatory reporting requirements that arise in the normal course of business or operations, such as periodic reporting or filing obligations, prior notice or prior approval requirements, or notifications of changes or applications for regulatory approval or decision, or a Marketplace’s reporting obligations to participants or other stakeholders. 10. If Marketplace staff are uncertain of whether to report an incident, they should contact CSA Staff to discuss. If Marketplace staff report an event that does not require follow-up, CSA Staff will advise that no further reporting is necessary for the incident. Reportable Incidents: Reporting Content and Lifecycle 11. Reportable incidents pursuant to paragraph 12.1(c) of Regulation 21-101 require “prompt” notification to the regulator or, in Québec, the securities regulatory authority and, if applicable, the marketplace’s RSP. Our expectation is that a Marketplace will provide initial notification to the regulator and, if applicable, the marketplace’s RSP of a material systems incident, orally or in writing, immediately upon escalating the matter to its senior management. Although a Marketplace may broadcast general public announcements pursuant to subsection 6.3(1) of Regulation23-101 respecting Trading Rules (Regulation 23-101), generic public notification does not qualify as notification to the regulator or, in Québec, the securities regulatory authority under paragraph 12.1(c) of Regulation 21-101, even if CSA Staff subscribe to, and receive, a Marketplace’s public announcements.

7 12. Notification should consist of an initial notification, one or more follow-up notification(s) to provide updates on the status of the failure, if appropriate, notification of the resumption of service and a post-mortem report. a. Initial Notification The initial notification should be provided orally or in writing and consist of: i. a brief description of the nature of the incident; ii. the date and time when the incident was identified; iii. system(s) impacted by the incident; iv. the manner in which it was identified; v. any initial mitigation actions and/or planned next steps; vi. brief description of how information is being communicated to Marketplace participants and other stakeholders; vii. if known, the anticipated duration of the incident and the potential impact to the Marketplace, its participants and/or the capital markets; and viii. any other information specified in Schedule A that is applicable and available at the time of the initial notification. b. Follow-up Notification(s) i. A Marketplace should provide timely updates respect to changes in:

1. the system(s) impacted by the incident;
2. the impact to the Marketplace, its participants and/or the capital markets, and;
3. the anticipated duration of the incident. ii. If a Marketplace determines that, having followed its internal processes, it will not resume service for an extended period of time or, in any event, will not resume service by the end of the day on which the incident first occurred, the marketplace should notify the regulator or, in Québec, the securities regulatory authority and, if applicable, its regulation services provider prior to notifying marketplace participants of that determination. iii. A Marketplace should provide the regulator or, in Québec, the securities regulatory authority with a detailed incident report by email as soon as practicable. We expect a Marketplace to provide a detailed incident report no later than 5 business days following the discovery of the incident. The report should include all the information described in Schedule A that is applicable and known to the Marketplace at that time and not already provided to the regulator or, in Québec, the securities regulatory authority in the initial notification. iv. If the underlying cause of the incident has not been identified and adequately remediated by the time the follow-up notification is provided, we expect the

8 Marketplace to provide daily updates on progress until the incident has been fully resolved. c. Notification of Resumption of Service Immediate notification of resumption of service should be provided orally or in writing to the regulator or, in Québec, the securities regulatory authority and, if applicable, the marketplace’s RSP, on resumption of normal service and should consist of: i. the date and time of resumption of service; ii. changes in services available; and iii. a brief description of outstanding issues. d. Post Mortem Report A Marketplace should provide a detailed post mortem report. We expect a Marketplace to provide a detailed post mortem report no later than 15 business days after the incident has been fully resolved. This report should include any applicable information described in Schedule A that has not already been reported to regulators or any revision to such information. Confidential Information 13. A Marketplace should communicate confidential matters to the CSA in accordance with a key staff contact list, which the Marketplace should maintain and update on a regular basis.

9 Schedule A Reportable Incident Information This Schedule A to the Guidelines provides additional information points that marketplaces should consider including in the various notifications and reports referred to in section 12 of the Guidelines, as applicable. In particular, marketplaces should consider including the following information, as applicable, in the initial notification under paragraph 12.a., the detailed incident report under subparagraph 12.b.ii., and the post-mortem report under paragraph 12.d.

1. When did the incident occur? Specify the relevant date(s) and the time interval over which the incident occurred.
2. Provide details of the incident.
3. What is the root cause of the incident, e.g. human error, process error, system (hardware, software) issue, external issue?
4. What is the impact of the incident on the Marketplace, its participants and other stakeholders? Provide information on: i. the nature of the disruption; ii. the duration of the delay or outage; iii. other core systems impacted; iv. actual or potential risk exposure; v. the financial impact; and vi. criteria used to determine whether the incident impacts the ability of the Marketplace to provide a “fair and orderly market”.
5. Information about any clearing issues or disruption of domestic or cross-border trade, if applicable.
6. When was the incident identified?
7. How was the incident identified?
8. Has the incident been rectified? If yes, explain how and when the incident was rectified. If no, detail the actions that are planned to rectify the incident, including the associated controls. Include detail on the expected timeframe to complete these actions. If not applicable, explain why.
9. Detail any further changes to the Marketplace’s systems, procedures or controls that have been made or are planned as a result of the identification of the incident.
10. Provide any additional information pertaining to this matter.
11. Where it becomes reasonably likely that a reportable incident will materialize, the report should include details of the potential incident, its probability of occurring, an estimate as to when the incident may occur, its estimated potential impact, and any mitigation or preventative actions taken or planned.