Regulation to amend Regulation 21-101 respecting Marketplace Operation

REGULATION TO AMEND REGULATION 21-101 RESPECTING MARKETPLACE OPERATION Securities Act (chapter V-1.1, s. 274, s. 331.1, par. (1), (2), (3), (8), (19), (32.0.1) and (34))

1. Section 3.2 of Regulation 21-101 respecting Marketplace Operation (chapter V-1.1, r. 5) is amended: (1) by replacing, in paragraph (2), “7 business days” with “15 business days”; (2) by replacing, in subparagraph (a) of paragraph (3), the word “month” with the words “calendar quarter”; (3) by adding, after paragraph (5), the following: “(6) For the purposes of subsection (5), if information in a marketplace’s Form 21-101F1 or Form 21-101F2, as applicable, has not changed since the marketplace filed its most recent Form 21-101F1 or Form 21-101F2 under subsection (5), the marketplace may incorporate that information by reference into its updated and consolidated Form 21-101F1 or Form 21-101F2.”.
2. Section 4.2 of the Regulation is amended by deleting, in paragraph (1), the words “the requirements outlined in”.
3. The Regulation is amended by adding, after section 4.2, the following: “4.3. Filing of Interim Financial Reports A recognized exchange and a recognized quotation and trade reporting system must file interim financial reports for each interim period, within 60 days after the end of the interim period, prepared in accordance with paragraphs 4.1(1)(a) and (b).”.
4. Section 12.1 of the Regulation is amended: (1) in paragraph (a): (a) by replacing subparagraph (i) with the following: “(i) adequate internal controls over those systems, and”; (b) by inserting, in subparagraph (ii) and after “information security,”, “cyber resilience,”; (2) by replacing subparagraph (ii) of paragraph (b) with the following: “(ii) conduct capacity stress tests to determine the processing capability of those systems to perform in an accurate, timely and efficient manner,”; (3) by replacing paragraph (c) with the following: “(c) promptly notify the regulator or, in Québec, the securities regulatory authority and, if applicable, its regulation services provider, of any systems failure, malfunction, delay or security incident that is material and provide timely updates on the status of the failure, malfunction, delay or security incident, the resumption of service and the results of the marketplace’s internal review of the failure, malfunction, delay or security incident, and “(d) keep a record of any systems failure, malfunction, delay or security incident and identify whether or not it is material.”.

2 5. Section 12.1.1 of the Regulation is amended: (1) by replacing, in paragraph (a), the words “an adequate system of information security controls” with the words “adequate information security controls”; (2) by replacing paragraph (b) with the following: “(b) promptly notify the regulator, or in Québec, the securities regulatory authority and, if applicable, its regulation services provider, of any security incident that is material and provide timely updates on the status of the incident, the resumption of service, where applicable, and the results of the marketplace’s internal review of the security incident, and “(c) keep a record of any security incident and identify whether or not it is material.”. 6. The Regulation is amended by adding, after section 12.1.1, the following: “12.1.2. Vulnerability Assessments On a reasonably frequent basis and, in any event, at least annually, a marketplace must engage one or more qualified parties to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the marketplace’s compliance with paragraphs 12.1(a) and 12.1.1(a).”. 7. Section 12.2 of the Regulation is amended: (1) by replacing paragraph (1) with the following: “(1) On a reasonably frequent basis and, in any event, at least annually, a marketplace must engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices that assesses the marketplace’s compliance with (a) paragraph 12.1(a), (b) section 12.1.1, and (c) section 12.4.”; (2) by replacing subparagraph (b) of paragraph (2) with the following: “(b) the regulator or, in Québec, the securities regulatory authority, by the earlier of (i) the 30th day after providing the report to its board of directors or the audit committee, and (ii) the 60th day after the report’s completion.”. 8. Section 12.3 of the Regulation is amended: (1) by replacing, in subparagraph (a) of paragraphs (1) and (2), the word “and” with the word “or”; (2) by replacing, in subparagraph (a) of paragraph (3.1), “(2)(a)” with “(2)(b)”. 9. Section 12.4 of the Regulation is amended by replacing, in paragraph (3), the word “marketplace” with the words “recognized exchange or quotation and trade reporting system”.

3 10. Section 14.5 of the Regulation is replaced with following: “14.5. System Requirements An information processor must (a) develop and maintain (i) adequate internal controls over its critical systems, and (ii) adequate information technology general controls, including, without limitation, controls relating to information systems operations, information security, cyber resilience, change management, problem management, network support, and system software support, (b) in accordance with prudent business practice, on a reasonably frequent basis and, in any event, at least annually, (i) make reasonable current and future capacity estimates for each of its systems, and (ii) conduct capacity stress tests of its critical systems to determine the processing capability of those systems to perform in an accurate, timely and efficient manner, (iii) (paragraph repealed), (c) on a reasonably frequent basis and, in any event, at least annually engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices that assesses the information processor’s compliance with paragraph (a) and section 14.6, (d) provide the report resulting from the review conducted under paragraph (c) to (i) its board of directors or the audit committee promptly upon the report’s completion, and (ii) the regulator or, in Québec, the securities regulatory authority, by the earlier of the 30th day after providing the report to its board of directors or the audit committee and the 60th day after the report’s completion, (e) promptly notify the following of any systems failure, malfunction, delay or security incident that is material and provide timely updates on the status of the failure, malfunction, delay or security incident, the resumption of service, and the results of the information processor’s internal review of the failure, malfunction, delay or security incident: (i) the regulator or, in Québec, the securities regulatory authority; (ii) any regulation services provider, recognized exchange or recognized quotation and trade reporting system monitoring trading of the securities about which information is provided to the information processor, and (f) keep a record of any systems failure, malfunction, delay or security incident and identify whether or not it is material.”.

4 11. The Regulation is amended by inserting, after section 14.5, the following: “14.5.1. Vulnerability Assessments On a reasonably frequent basis and, in any event, at least annually, an information processor must engage one or more qualified parties to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the information processor’s compliance with paragraph 14.5(a).”. 12. Form 21-101F1 of the Regulation is amended: (1) by replacing the paragraphs under “EXHIBITS” with the following: “File all Exhibits with the Filing. For each Exhibit, include the name of the exchange or quotation and trade reporting system, the date of filing of the Exhibit and the date as of which the information is accurate (if different from the date of the filing). If any Exhibit required is inapplicable, a statement to that effect must be included instead of the Exhibit. Except as provided below, if the filer, recognized exchange or recognized quotation and trade reporting system files an amendment to the information provided in its Filing and the information relates to an Exhibit filed with the Filing or a subsequent amendment, the filer, recognized exchange or recognized quotation and trade reporting system, must, in order to comply with subsection 3.2(1), (2) or (3) of Regulation 21-101 respecting Marketplace Operation (chapter V-1.1, r. 5), provide a description of the change and the actual or expected date of the implementation of the change, and file a complete and updated Exhibit. The filer must provide a blacklined version showing changes from the previous filing. If the filer, recognized exchange or recognized quotation and trade reporting system has otherwise filed the information required by the previous paragraph pursuant to section 5.5 of Regulation 21-101 respecting Marketplace Operation, it is not required to file the information again as an amendment to an Exhibit. However, if supplementary material relating to a filed rule is contained in an Exhibit, an amendment to the Exhibit must also be filed.”; (2) by replacing Exhibit B with the following: “Exhibit B – Ownership In the case of an exchange or quotation and trade reporting system that is a corporation, other than an exchange or quotation and trade reporting system that is a reporting issuer, provide a list of the beneficial holders of 10% or more of any class of securities of the exchange or quotation and trade reporting system. For each listed security holder, provide the following:

1. Name.
2. Principal business or occupation and title, if any.
3. Ownership interest, including the total number of securities held, the percentage of the exchange or quotation and trade reporting system’s issued and outstanding securities held, and the class or type of security held.
4. Whether the security holder has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation). In the case of an exchange or quotation and trade reporting system that is a partnership, sole proprietorship or other type of organization, provide a list of the registered or beneficial holders of the partnership interests or other ownership interests in the exchange or quotation and trade reporting system. For each person listed, provide the following:

5

1. Name.
2. Principal business or occupation and title, if any.
3. Nature of the ownership interest, including a description of the type of partnership interest or other ownership interest.
4. Whether the person has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation).”; (3) by deleting paragraphs 4 and 5 of item 1 of Exhibit C; (4) by deleting paragraphs 2, 5 and 6 of item 2 of Exhibit D; (5) in Exhibit E: (a) by deleting, in paragraph 2, “, including a description of any co￾location arrangements”; (b) by deleting paragraphs 7 and 8; (6) by replacing, wherever they appear in the French text of Exhibit F, the words “présent règlement” with the words “Règlement 21-101 sur le fonctionnement du marché”; (7) in Exhibit G: (a) under the title “General”: (i) by replacing, in paragraph 1, the words “high level” with the words “high-level”; (ii) by replacing, in paragraph 2, the word “Regulation” with the words “Regulation 21-101 respecting Marketplace Operation”; (b) by replacing, in paragraph 3, under the title “Systems”, the word “Regulation” with the words “Regulation 21-101 respecting Marketplace Operation”; (c) by replacing, in paragraph 2, under the title “IT Risk Assessment”, the word “are” with the word “is”.
5. Form 21-101F2 of the Regulation is amended: (1) by replacing the paragraphs under “EXHIBITS” with the following: “File all Exhibits with the Initial Operation Report. For each Exhibit, include the name of the ATS, the date of filing of the Exhibit and the date as of which the information is accurate (if different from the date of the filing). If any Exhibit required is inapplicable, a statement to that effect must be included instead of the Exhibit.

6 If the ATS files an amendment to the information provided in its Initial Operation Report and the information relates to an Exhibit filed with the Initial Operation Report or a subsequent amendment, the ATS must, in order to comply with subsection 3.2(1), (2) or (3) of Regulation 21-101 respecting Marketplace Operation (chapter V-1.1, r. 5), provide a description of the change and the actual or expected date of the implementation of the change, and file a complete and updated Exhibit. The ATS must provide a blacklined version showing changes from the previous filing.”; (2) by replacing Exhibit B with the following: “Exhibit B – Ownership In the case of an ATS that is a corporation, other than an ATS that is a reporting issuer, provide a list of the beneficial holders of 10% or more of any class of securities of the ATS. For each listed security holder, provide the following:

1. Name.
2. Principal business or occupation and title, if any.
3. Ownership interest, including the total number of securities held, the percentage of the ATS’s issued and outstanding securities held, and the class or type of security held.
4. Whether the security holder has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation). In the case of an ATS that is a partnership, sole proprietorship or other type of organization, provide a list of the registered or beneficial holders of the partnership interests or other ownership interests in the ATS. For each person listed, provide the following:
5. Name.
6. Principal business or occupation and title, if any.
7. Nature of the ownership interest, including a description of the type of partnership interest or other ownership interest.
8. Whether the person has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation).”; (2) by deleting paragraphs 4 and 5 of item 1 of Exhibit C; (3) by deleting paragraphs 2 and 5 of item 2 of Exhibit D; (4) in Exhibit E: (a) by deleting, in paragraph 2, “, including a description of any co￾location arrangements”; (b) by deleting paragraphs 7 and 8; (5) by replacing, wherever they appear in the French text of Exhibit F, the words “présent règlement” with the words “Règlement 21-101 sur le fonctionnement du marché”; (6) in Exhibit G: (a) under the title “General”:

7 (i) by replacing, in paragraph 1, the words “high level” with the words “high-level”; (ii) by replacing, in paragraph 2, the word “Regulation” with the words “Regulation 21-101 respecting Marketplace Operation”; (b) by replacing, in paragraph 3, under the title “Systems”, the word “Regulation” with the words “Regulation 21-101 respecting Marketplace Operation”; (c) by replacing, in paragraph 2, under the title “IT Risk Assessment”, the word “are” with the word “is”. 14. Form 21-101F3 of the Regulation is amended: (1) in Part A: (a) by deleting paragraphs B and C of item 3; (b) by deleting items 4 to 7; (2) in Part B: (a) by deleting, in section 1, paragraphs 1 to 6 and charts 1 to 6; (b) by deleting, in section 2, paragraph 3 and chart 9. 15. Form 21-101F5 of the Regulation is amended: (1) by replacing the paragraphs under “EXHIBITS” with the following: “File all Exhibits with the Initial Form. For each Exhibit, include the name of the information processor, the date of filing of the Exhibit and the date as of which the information is accurate (if different from the date of the filing). If any Exhibit required is inapplicable, a statement to that effect must be included instead of the Exhibit. If the information processor files an amendment to the information provided in its Initial Form, and the information relates to an Exhibit filed with the Initial Form or a subsequent amendment, the information processor must, in order to comply with sections 14.1 and 14.2 of Regulation 21-101 respecting Marketplace Operation (chapter V-1.1, r. 5), provide a description of the change and the actual or expected date of the implementation of the change, and file a complete and updated Exhibit. The information processor must provide a blacklined version showing changes from the previous filing.”; (2) in section 1 of Exhibit C: (a) by replacing, after the words “list of partners”, the word “directors” with the word “officers”; (b) by deleting paragraphs 4 and 5. 16. 1) This Regulation comes into force on September 14, 2020. 2) In Saskatchewan, despite subsection (1), if this Regulation is filed with the Registrar of Regulations after September 14, 2020, this Regulation comes into force on the day on which it is filed with the Registrar of Regulations.