Open this photo in gallery:

Cybersecurity risks posed by new AI models have rankled regulators worldwide in recent months.Graeme Roy/The Canadian Press

Canada’s securities regulators are bolstering their cybersecurity guidance after finding gaps in some firms’ practices.

The Canadian Securities Administrators, an umbrella organization made up of provincial and territorial securities regulators, issued updated guidance Wednesday after reviewing the cybersecurity practices of 73 registered firms. The review included firms registered as investment fund managers, portfolio managers and exempt market dealers.

Cybersecurity risks posed by powerful new AI models have rankled regulators around the world in recent months, raising concerns about the stability of financial systems.

Organizations in sectors ranging from financial services to critical infrastructure have been marshalling resources in preparation for a new breed of cyberattacks enabled by AI models which have proven adept at identifying and exploiting software vulnerabilities.

U.S. to lift export controls on Anthropic’s Fable, Mythos AI models, company says

Firms registered with securities regulators are required to have cybersecurity procedures in place to manage risks. The CSA reviewed firms’ written policies, employee training, risk controls, incident response plans and their oversight of third-party service providers.

While a number of firms, particularly the larger ones, were found to have robust practices, the regulators identified a number of areas where practices should be strengthened.

For example, it found that 55 per cent of firms’ written policies and procedures could be improved, while 8 per cent of the firms had no written policies at all. Because the cyber threat landscape is rapidly evolving, firms should review and update their written policies at least annually, the CSA said.

Additionally, 21 per cent of the firms subject to the CSA review did not provide cybersecurity training to their employees, and 62 per cent had no or limited documentation of their oversight of third-party service providers.

With regards to incident response, 15 per cent of the firms subject to the review did not have a written plan, while more than half of those that did could have had a stronger plan, the CSA said.

And 63 per cent of the firms with a written incident response plan should have tested it on a more regular basis, according to the CSA.

OpenAI launching most advanced GPT model after delaying release

“The CSA wants to be clear with registrants that strong cybersecurity practices are not optional in today’s threat environment,” CSA chair Stan Magidson said in a statement.

“Our guidance is intended to help firms establish and maintain cybersecurity practices that are appropriate to their size and operations, and are responsive to an evolving threat landscape,” added Mr. Magidson, who also serves as the chair and CEO of the Alberta Securities Commission.

Wednesday’s notice builds on the CSA’s previous cybersecurity guidance, which was published in 2017. The regulatory body noted that technological advances and a greater reliance on digital tools have led to increased risks.

“Cybersecurity risks continue to grow on many fronts, particularly as firms rely more heavily on digital tools, hybrid work arrangements and online platforms to serve clients. We expect firms to review this guidance, assess their own cybersecurity practices, identify any gaps and take proactive steps to address them,” Mr. Magidson said.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe