Earlier this month, the Mutual Fund Dealers Association of Canada (MFDA) released a bulletin providing guidance on cybersecurity and cyber risk management for mutual fund distributors. The goal of the bulletin is to increase awareness for cyber vulnerabilities and to provide guidance for developing and implementing internal cybersecurity policies.
The bulletin emphasizes the importance of cybersecurity to prevent major disruptions to critical business operations and to mitigate the potential for monetary and reputational harm resulting from data breaches. Citing the US Financial Industry Regulatory Authority (FINRA)’s cybersecurity findings, three cybersecurity threats are identified the order of salience: outside hackers penetrating the company system, insiders compromising firm or client data, and the operational risks of information technology use.
While cautioning against one-size-fits-all cyber risk management solutions, the bulletin provides five cybersecurity objectives the MFDA views as common to all solutions. The five cybersecurity objectives, to be implemented by a synergy of people and processes within each organization, are to:
- Identify assets in need of protection, including the threats and risks to them;
- Protect such assets with the appropriate safeguards;
- Detect intrusions, breaches, and unauthorized access;
- Respond to a potential cybersecurity event;
- Recover from a cybersecurity incident by assessing the incident, restoring normal operations and services, and applying enhanced safeguards that are specific to the nature of the incident.
To achieve these cybersecurity objectives, the bulletin offers a host of security policy and control recommendations, including, among others:
- Setting up a governance and risk management framework including the involvement and buy-in of the Board of Directors and senior management
- Cybersecurity incident response procedures, including an incident response team
- Information sharing and incident/breach reporting, such as the requirement to notify the Privacy Commissioner of specified breaches Managing threats posed by vendors, ensuring the level of risk posed by each third party vendor is appropriately assessed and mitigated
- Obtaining cyber insurance coverage
While these recommendations are not exhaustive, they present important steps in the management of cybersecurity threats. Ensuring that a cyber risk management plan exists and having security policies and procedures in place is increasingly important to manage the liabilities that arise from privacy and data breaches.