On January 18, 2018, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report for 2017/2018, identifying cybersecurity as a “high priority” issue that IIROC dealer members should address to improve investor protection and foster market integrity. The report also provides specific guidance on initiatives that dealers may undertake in 2018-19 to proactively manage cyber-related risks.
IIROC’s 2016/2017 Feedback
In 2017, IIROC followed up with small and mid-sized dealers to discuss how they had considered IIROC’s previous feedback that dealers should:
- maintain “adequate” policies and procedures to safeguard the confidentiality, integrity and availability of the dealer’s data (including clients’ personal information);
- conduct “regular due-diligence” of third-party IT vendors and service providers to evaluate the adequacy of safeguards against cybersecurity incidents;
- use encryption and strong passwords to protect “data and sensitive information” stored on all computers, storage servers, web server portals and mobile electronic devices;
- fix identified security vulnerabilities on a “timely basis”;
- “develop a cybersecurity incident-response plan that includes: a description of the different types of possible incidents; procedures to stop an incident and eliminate the threat; procedures for recovery of data; investigation of an incident; and incident notification and reporting obligations”.
IIROC Guidance for 2018/19
Building on the foregoing recommendations, IIROC has recommended that dealers:
- conduct “table-top simulations” of cyber-incident scenarios that may occur to help participants develop and improve their cyber-incident response plans; and
- complete another self-assessment survey to assess the dealer’s and overall industry’s preparedness in response to cyber-incident risks.
IIROC will continue its partnership with the Investment Industry Association of Canada (IIAC) to support and provide best-practice guidance to improve dealers’ cybersecurity preparedness, and directed dealers to IIAC’s Due Diligence Procedures on Data Security by Third-Party Service Providers publication dated July 2017. The IIAC also has a Cybersecurity Guidebook dated June 2015.