Last week, the Investment Industry Regulatory Organization of Canada (“IIROC“) published two detailed guides to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks. The creation of these guides was telegraphed at the beginning of the year in IIROC’s annual consolidated compliance report for 2014/2015, released January 27, 2015, and underline IIROC’s increased focus on cyber risk.
The first resource, the Cybersecurity Best Practices Guide (“Practices Guide”), is intended to provide “an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply”. The complementary Cyber Incident Management Planning Guide (“Planning Guide”) is a companion tool for firms to use in order to prepare effective response plans for cyber threats and attacks.
The Practices Guide
The Practices Guide is “voluntary guidance” but Andrew Kriegler, IIROC President and CEO has said that IIROC regards “[a]ctive management of cyber risk [a]s critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors.”
The Practices Guide, at just over 50 pages long, provides detailed standards-based security controls that make up a best practice cybersecurity program. While applicable to IIROC dealer members of all sizes and budgets, it is specifically targeted at small and mid-sized firms
Key points in Practices Guide include:
Sound Governance and Board Engagement. A sound governance framework with strong leadership is identified as being “essential” to effective enterprise-wide cybersecurity, along with board-level and senior management-level engagement, which IIROC characterizes as “critical”.
Training. Responding to increasing threats presented by social engineering (the manipulation of insiders into providing confidential information or downloading malicious code), IIROC notes that effective training helps to reduce the likelihood of a successful attack by providing staff with the knowledge to avoid becoming inadvertent attack vectors.
Scalable. IIROC acknowledges that there is a range of sizes and sophistication among its member dealers and that that ability to customize and quantify adjustments to their cybersecurity programs using cost-effective security controls and risk management techniques will be important. Nonetheless, IIROC cautions that while a smaller firm may not be positioned to implement the Practices Guide’s controls in their entirety, it is of the view that these strategies can nonetheless serve a critical benchmarking function.
Third Party Vendor Management. IIROC recognizes that its dealer members typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. It also notes that the number of security incidents attributed to partners and vendors has risen consistently, year on year. As a result, the IIROC urges firms to exercise “strong due diligence and developing clear performance and verification policies.”
The Planning Guide
The Planning Guide is the slimmer document at only 29 pages and presents a set of voluntary cybersecurity strategies, guidelines, and tools for small and mid-sized IIROC dealer members. These can be used by dealer members to assist them in developing their own internal plans as part of their cybersecurity strategy. The Planning Guide is careful to state that it is “not intended to create new legal or regulatory obligations or modify existing ones”, and dealer member firms will need to be aware of additional requirements layered on by anti-money laundering, privacy and consumer protection legislation, for example.
The Planning Guide is divided in to three sections with the first section providing a brief background on cybersecurity and key industry standard references. The second section is an overview of the incident lifecycle, planning concepts, and key tools upon which to base incident response plans. The third section addresses firm interactions with outside parties (e.g. regulators and clients, as well as partners, external vendors, and government) during a breach.
There are two appendices: Appendix A includes key recommendations for implementing a cybersecurity incident response capability and Appendix B includes a 10-step guide, which outlines how to respond to a cybersecurity incident when an organization is not prepared.
Both Guides are extensive and firms would be wise to begin seriously engaging them in the development of their cybersecurity risk planning, which should already be well underway. It is not unreasonable to assume that these Guides, though voluntary, will inform the expectations of regulators.
The Guides are in many respects technical documents, and as a result do not in and of themselves provide a comprehensive enterprise risk management perspective. For instance, one key piece which is not fully addressed in the Guides is the crucial role of counsel and, in particular, the importance of managing privileged information, both prior to and during a breach. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances and boards should understand the contours of liability related to these risks and the decisions made in response to them.