Canadian securities regulators have issued a notice on cybersecurity and social media  which brings into sharp relief the rapid pace of the threats investment dealers and advisers now face as a result of the increased targeting of the financial industry by cyber criminals. In light of the scope of these challenges, it is worth taking a comprehensive look back at the developments over the past few years so firms can better protect themselves going forward.
Gowling WLG Focus
The past two years have seen cyber attacks and cybersecurity move from the business section to the front page, with high-level breaches affecting everything from the sanctity of democratic elections to the privacy of individuals as consumers and even as patients. Recent hacks have borne out industry predictions of an increasing shift from opportunistic attacks on unsophisticated individuals, to continued attacks on gatekeepers of consumer information (e.g. the recent Equifax breach), to breaches of targets holding higher value financial information (see the Deloitte breach and, more troubling still, the attack exploiting the U.S. Securities and Exchange Commission’s EDGAR filing system). As holders of high-value financial information become prime targets for cyber attacks, investment dealers must be more vigilant and prepared than ever before.
Increasing Recognition but Anemic Response
A cyber attack in the Canadian marketplace could severely threaten market integrity and undermine investor confidence; and investment dealers have clearly given thought to the repercussions of such attacks on their business. A number of regulators have canvassed market participants to assess the scope of these threats.
In early 2015, the Investment Industry Regulatory Organization of Canada (IIROC) conducted a survey of dealer members’ preparedness to deal with cyber attacks. It noted that it was using the information gathered during these assessments to develop best practice recommendations, as well as an incident response guide. The survey found that:
- 83% of respondents to the survey viewed cyber issues as a threat.
- 98% of respondents had adopted information security measures, including 69% of respondents having specific cybersecurity policies in place.
- 7% of respondents reported a service outage within 12 months of the study due to malicious acts of third parties.
In the past year, Canadian securities regulators have reported the results of a review of the recent annual filings of 240 companies listed on the S&P/TSX Composite Index. The review focused on the quality of the disclosure relating to cybersecurity issues in the companies’ respective risk disclosures. Some of the key findings included:
- 39% of issuers did not address cybersecurity issues in their risk factor disclosure.
- While a majority of issuers reviewed did address cybersecurity issues as a material risk to their business, all but a few did so in general terms, discussing only that their dependence on information technology rendered them at risk for cybersecurity breaches — very few issuers talked about the particular vulnerability to cybersecurity incidents specific to their business and their industry.
- Some potential impacts of a cybersecurity incident that were common to companies across different industries included, among others, the following:
- Unauthorized access to proprietary or sensitive information
- Compromising of confidential customer or employee information
- Destruction or corruption of data
- Lost revenue due to disruption of activities
- Reputational harm affecting customer and investor confidence
- Of the subset of issuers who did address cybersecurity threats in their disclosure (61%), only 1/5 identified a person, group or committee that was responsible for dealing with such threats (and most of those identified their respective audit committees).
In sum, while some companies have turned their minds to cybersecurity threats in their disclosure, there is still a lot of room for improvement. As discussed below, Canadian securities regulators have also published a number of important recommendations to assist companies in this regard.
The most recent notice from Canadian securities regulators sets out the results of a survey related to cybersecurity and social media practices from 2011-2016 by investment fund managers, portfolio managers and exempt market dealers. The results provide an interesting and possibly troubling snapshot of the industry. Among the troubling results:
- 51% of firms experienced cybersecurity incidents in a given year (43% of firms identified phishing incidents, 18% reported malware incidents, and an alarming 15% reported attempts to impersonate clients for the purpose of initiating transactions).
- Most firms have cybersecurity policies and procedures, but only 57% of firms have procedures in place to allow for continued operation during a cybersecurity incident (the others, presumably, would have to shut down business indefinitely to deal with these incidents).
- Only 56% of firms have policies and procedures in place for cybersecurity training for employees.
- Most firms (59%) do not have specific cyber insurance policies.
Among the positive results:
- Most firms perform cyber risk assessments, at least annually (only 14% do not).
- Most firms (66%) have incident response plans in place that are tested at least annually.
- Most firms (68%) that use third-party vendors / consultants conduct due diligence on their cybersecurity practices.
Increased Guidance and Heightened Reporting Expectations
Cybersecurity has been identified as one of the top enforcement priorities of Canadian and American securities regulators. Canadian securities regulators have called on dealers to “be aware of the challenges of cyber-crime and [should] take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients or stakeholders.” The Ontario Securities Commission (OSC) has noted that “[r]obust cybersecurity measures are an important element of the controls of issuers, registrants and regulated entities in ensuring the reliability of operations and the protection of confidential information.” The OSC has also indicated it will evaluate these controls in its oversight of registrants and regulated entities in Ontario.
The importance of cybersecurity was also raised in IIROC’s Annual Compliance Report for 2014/2015 and on December 21, 2015, following their aforementioned survey of IIROC-regulated firms regarding cybersecurity, IIROC published two resources to help firms protect themselves and their clients against cyber threats and attacks: the Cybersecurity Best Practices Guide (the “Best Practices Guide”) and the Cyber Incident Management Planning Guide(the “Incident Guide”).
The Best Practices Guide, described as a “living document”, is intended to provide a voluntary set of industry standards and best practices to help IIROC Dealer Members manage cybersecurity risks.
Some of its key points include:
- Appropriate Governance and Risk Management Frameworks: Firms should establish and maintain appropriate governance and risk management frameworks to identify and address risks for communications networks and services. This requires board-level and senior management-level engagement.
- Employee Training: Employees should be aware of the danger posed by cybersecurity threats and should be trained to become a first line of defence against such.
- Insurance: Dealer Members should carefully review existing company and D&O insurance policy provisions as they relate to data breach and privacy claims, and ensure that such claims are not excluded.
The Incident Guide is intended to assist IIROC members in preparing an internal cyber-incident response plan, setting out voluntary cybersecurity strategies, guidelines, and tools for small and mid-sized IIROC Dealer Members.
As with the Best Practices Guide, IIROC notes that the Incident Guide “is not intended to create new legal or regulatory obligations or modify existing ones.” Instead, it lists five steps in preparing for and responding to cybersecurity incidents. These include:
- Developing an incident response team and breach response plan
- Implementing a monitoring program to detect cybersecurity incidents
- Assessing whether a cybersecurity event is truly an incident indicating a significant probability of compromising business operations
- Containing, recovering from and forensically analyzing the incident
- Developing lessons learned
The Best Practices Guide and the Incident Guide set forth a voluntary risk-based cybersecurity framework and are not intended to create new legal or regulatory obligations or modify existing ones. However, given the vulnerabilities that investment dealers can face, dealer firms would do well to review the content of these resources and to, at the very least, consider whether they are compliant.
IIROC has followed up on these initiatives by providing dealers with individualized, confidential ‘report cards’ comparing their practices and processes to firms of similar sizes and with similar business models. And, in its announcement of strategic priorities for 2018, IIROC has reaffirmed its commitment to helping dealers improve their cybersecurity preparedness.
For their part, Canadian securities regulators published a number of key recommendations in their 2017 notices. At the beginning of the year, they provided guidance on risk factor disclosure and incident reporting. Among the key highlights, they recommended:
Risk Factor Disclosure
- Companies should avoid boilerplate language that describes cybersecurity risks that generally apply to all businesses. Instead, the focus should be on entity-specific and industry-specific threats. Companies should always keep in mind that the purpose of risk factor disclosure is to allow investors to distinguish one company from another, both within and across certain industries.
- One example provided by Canadian securities regulators was the difference between the kinds of threats to a consumer-facing business (e.g. breach of confidential customer information) and a company owning strategic intellectual property (e.g. theft of trade secret).
- Materiality with respect to cybersecurity risk disclosure turns on the probability a breach will occur and the anticipated magnitude of its effect.
- A company must of course assess the materiality of the breach.
- There is no bright-line test and the threshold for when an incident becomes material will differ from industry to industry and company to company.
- While a relatively minor incident may not be material, a series of frequent minor incidents may become material depending on the level of disruption.
- A cybersecurity remediation plan should deal with how materiality of an attack will be assessed to determine whether, when and how an incident will be disclosed.
And most recently, Canadian securities regulators weighed in with further guidance on how registrants can better protect their firms from cyber attacks. Some of the key highlights include:
- Policies and Procedures: These should address:
- The use of electronic communications, and these should cover the types of information firms may collect / send via email
- The use of firm-issued devices and the use of public devices or internet connections to access the firm’s network and data
- Oversight of third-party vendors and service providers that have access to the firm’s network or data
- Training: Employees should receive training on:
- Recognizing risks
- Handling confidential information
- Security of “all electronic devices”
- Risk Assessment: Firms should conduct at least annual risk assessments, which should include:
- An inventory of “critical assets and confidential data” and identification of “what is most important to protect”
- Areas of potential vulnerability to cyber threats, internal (employees) and external (hackers, third-party providers)
- An evaluation of the adequacy of the firm’s incident response plan
- Incident Response Plan: Plans should include:
- The identification of people who should be part of the response to the incident
- Procedures to neutralize the threat and halt ongoing damage
- Plans for the recovery of data, investigation of incident causes and improvement / adaptation to prevent similar incidents
- Due Diligence: Firms should:
- Limit third-party access to their data
- Ensure their agreements with third-party vendors / services providers address how the vendors / providers will address incidents involving the firm’s data
- Have a contingency plan in the event that firm data stored in the “cloud” becomes inaccessible
- Data Protection: Firms should also:
- Use encryption “for all computers and electronic devices
- Ensure the security of client data accessible via online portals
- Back up their data to secure off-site servers
- Insurance: Firms should review their existing coverage and consider additional insurance if existing coverage does not cover cybersecurity incidents.
Canadian securities regulators also offered guidance on cyber-threats related to social media being used as a vehicle to carry out attacks against registrants, suggesting that firms have guidelines on appropriate use and content of social media, and should monitor authorized and unauthorized use of social media by firm employees.
Cybersecurity has been on the radar of the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) since at least 2007. In fact, it was referred to by President Obama, early on in his first term, as “one of the most serious economic and national security challenges” the country faced.
In January 2014, FINRA initiated a sweep to better understand the types of threats to which member firms were subject, as well as their response to those threats. The subsequent Report on Cybersecurity identified the top three threats facing firms as:
- Hackers penetrating firm systems
- Insiders compromising firm or client data
- Operational risks.
On January 11, 2016, the SEC announced its 2016 Examination Priorities. For the third straight year, among them was a focus on broker dealers’ and investment advisers' cybersecurity compliance and controls.
While Canadian securities regulators’ current focus seems to be on establishing a culture of awareness of the risks of cyber attacks and the importance of proactive management, the SEC has already begun prosecuting firms for failure to adopt written policies and procedures designed to protect customer data. In a September 2015 case, RT Jones, the SEC found that the investment adviser failed to establish the required cybersecurity policies and procedures in advance of a breach (hacker attack) that compromised the personal information of approximately 100,000 individuals — many of them clients of the firm. Though there was no evidence of any financial harm, the investment adviser was fined $75,000 and was required to adopt a written information security policy to comply with the cybersecurity regulations.
What Types of Threats Do Investment Dealers Face?
Because of their continued and increasing reliance on technology, the interconnectedness of the financial sector, and their access to sensitive/confidential information and world markets, investment dealers are subject to a variety of potential cyber threats. The three greatest threats, in order of importance, are:
1. Electronic Trading & Direct Market Access (DMA) Platform Manipulation: Many investment dealers in Canada, particularly big banks, rely on electronic execution and trading connectivity for reliable, streamlined and efficient execution for their customers. Using such a system means that, in most cases, a client’s order goes directly into the exchange’s order book. Further, an investment dealer’s DMA platform usually grants the user access to other online broker-dealers. This makes investment dealers particularly vulnerable to firm clients/hackers accessing the platform and engaging in fraudulent transactions.
2. Spear Phishing:“Spear phishing” involves the sending of personalized emails to employees, which once opened, install malware that provides intruders with access to internal systems. These kinds of attacks emphasize the need for employee awareness and training, an issue that will be addressed in more detail below. Phishing emails are examples of what are known as Advanced Persistent Threats (APTs).
3. Distributed Denial of Service (DDoS) Attacks: DDoS attacks involve the bombardment of a company’s website with high volumes of traffic, resulting in the site being unavailable to legitimate customers. While these types of attacks may result in reputational risk to the investment dealer, they do not compromise internal systems, and are therefore less serious than the above two.
As with the RT Jones case cited above, investment dealers face regulatory action for failure to adequately protect confidential information. Other than regulatory action, however, dealers could also be subject to other forms of liability, including financial penalties, reputational loss, and civil claims for negligence, statutory breach, and breach of contract. Class action lawsuits against investment dealers are also possible.
What Actions Can Investment Dealers Take to Protect Themselves?
There is no “one-size-fits-all” model for a cybersecurity infrastructure, but a consensus has emerged on the importance of the following measures:
1. Good Governance and Risk Assessment Framework: In order to prioritize and mitigate risk in the event of a cyber attack, a sound governance and risk assessment framework is essential. This requires leadership at the Board and senior management levels in order to identify critical assets and put in place systems and policies in order to protect these. One suggestion IIROC makes in their Best Practices Guide is the appointment of a Chief Information Security Officer (a “CISO”) in order to oversee the cybersecurity efforts within the company. One of the responsibilities of a CISO would be to periodically conduct assessments of the dealer’s environment, including, for example, the firm’s collection/storing process for confidential and sensitive information, security controls and policies in place to protect these, and how the firm would respond in the event of an attack.
2. Access Rights and Controls: Dealers must be vigilant to ensure that data breaches do not occur as a result of a failure to implement controls to prevent unauthorized access to systems or information. In this day and age where employees are often using personal devices to access dealer networks, as well as frequently working from home, this may include a review of “controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.”
3. Employee Training: Employee training goes hand in hand with access rights and controls. Oftentimes, and especially in the case of phishing threats, employees are a dealer’s first line of defence. Ensuring that employees, new and old, are aware of and up to date with the threats faced by the firm is key to preventing such attacks. As the SEC notes, some data breaches may result from unintentional employee actions such as misplacing technology, accessing a client account through an unauthorized laptop or unsecure connection, or opening an email and downloading attachments from an unknown source. An effective staff training program should allow employees to recognize cyber risks (including, for example phishing emails) and address: confidential information; password protection; escalation policies; physical security; and mobile security.
4. Develop an Incident Response Plan: In the event an investment dealer is hit with a cyber attack, it is imperative that it have a response plan in place to isolate, minimize, and respond to the attack. A sound governance framework (addressed above) is paramount in that, if operating competently, it would have developed such a response plan. The response plan may address, among other things: appointing particular persons and delegating responsibilities in the event of a cyber attack; the preparation of incident reports, detailing what was attacked and what information compromised; containment and mitigation strategies; and investigation and recovery plans.
The Goal Posts Will Keep Shifting
While relatively little Canadian case law exists, emerging U.S. decisions will doubtlessly inform the expectations of Canadian judges and regulators in assessing whether dealers and advisers who fall prey to attacks did enough to protect their clients. These cases contribute to a growing laundry-list of expectations that companies and firms should expect to face in the future. For instance, a recent settlement proposal submitted for court approval in a massive U.S. consumer data breach case adds the following expectations to this growing list:
a. Partnering with a dark web mining service to search for stolen data
b. Periodic “table top cyber exercises” to test the breached firm's cyber response processes and procedures
c. Membership in “at least one Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO)”—note that Canada now has its own such exchange (the Canadian Cyber Threat Exchange)
When announcing the publication of the Best Practices Guide and Incident Guide, IIROC President Andrew Kreigler stated that “[a]ctive management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and protection of investors.”
The continued and increasing reliance on technology, the interconnectedness of the financial sector, as well as the critical role that financial institutions play in the overall economy puts investment dealers and advisers at the forefront of those who should be vigilant and ensure preparedness. They are uniquely positioned to be both victims of, and leaders in, this sphere; and regulators in both Canada and the U.S. have given clear indications that they expect dealers and advisers to be pro-active in their approach to cybersecurity.
Again, while there is no “one-size-fits-all” model, at a minimum, investment dealers and advisers should ensure that their Boards and upper management are aware of the cybersecurity risks faced by their firm and have in place a proper policy to be able to detect, prevent, and remediate a potential security breach.