Last week, the Mutual Fund Dealers Association of Canada issued a Bulletin on Cybersecurity (#0690-C). The purpose of the Bulletin is to enhance Member awareness and understanding of cybersecurity issues and resources, and to provide guidance regarding the development and implementation of cybersecurity procedures and controls.

The Bulletin states that Members should:

  • establish and maintain appropriate cybersecurity procedures and controls to ensure that they are adequately protecting networks, computers, programs, and data from attack, damage and unauthorized access; and
  • evaluate their cybersecurity programs and implement additional controls and risk management techniques, where it is appropriate to do so, having regard to the particular operations and potential vulnerabilities of the Member.

The Bulletin also sets out three fundamental goals for organizations in order to protect their systems and data: (1) confidentiality; (2) integrity; and (3) availability.

To achieve these goals, Members should develop a Cybersecurity Framework that perform the following five functions:

  1. Identify assets in need of protection, as well as threats and risks to them;
  2. Protect such assets with the appropriate safeguards;
  3. Detect intrusions, breaches, and unauthorized access;
  4. Respond to a potential cybersecurity event; and
  5. Recover from a cybersecurity incident by assessing the incident, restoring normal operations and services, and applying enhanced safeguards that are specific to the nature of the incident.

A list of other areas Members should consider in their Cybersecurity Framework is also provided, including setting a governance and risk management framework, obtaining cyber insurance coverage, and managing threats posed by vendors.

This policy follows and cites guidelines on cybersecurity issued by IIROC, FINRA, and IOSCO. Financial institutions should ensure that their Cybersecurity Frameworks are responsive and up to date.