Just before the holidays, the Investment Industry Regulatory Organization of Canada (“IIROC”) – a national organization that regulates securities dealers operating in Canada - released two cybersecurity guides to assist dealers manage their cybersecurity risks and to effectively respond in the event of a cyber incident.
The two documents focus on different aspects of cybersecurity:
- The Cybersecurity Best Practices Guide (“Best Practices Guide”) provides a framework of general industry standards and best practices that dealers can apply to manage cyber risks and breaches.
- The Cyber Incident Management Planning Guide (“Incident Planning Guide”) provides recommendations and guidelines for dealers to prepare effective response plans for cyber threats and attacks.
Best Practices Guide
The Best Practices Guide identifies specific cybersecurity threats (e.g., hackers penetrating firm systems, insiders compromising firm and client data, and operational risks) and recommends that dealers develop strategies unique to their business to increase their overall cyber resiliency profile.
The four key takeaways from the Best Practices Guide can be summarized as follows:
- Governance. Cybersecurity is not exclusively IT’s responsibility. Rather, to ensure effective cybersecurity preparedness, strong leadership, including engagement by the Board of Directors and senior management, is required. The organization’s leadership is responsible for directing the implementation of a comprehensive cybersecurity program and regularly overseeing its effectiveness.
- Training. When it comes to cybersecurity, while having the right technical defences in place is important, minimizing human error is even more critical. Effective and ongoing staff training will reduce a dealer’s exposure to cyber threats, such as spear phishing and social engineering. Training should focus on fostering a culture of procedural compliance, a questioning attitude and having a depth of knowledge to identify potential threats to the organization.
- Implementation. IIROC recognizes that smaller dealers may not necessarily be positioned to implement all of the best practices outlined in the Best Practices Guide. Nevertheless, these best practices can serve a benchmarking function allowing smaller dealers to situate their efforts relative to industry standards.
- Third Party Vendors. It is common for dealers to use third-party vendors for services which gives them access to sensitive firm or client information, or access to firm systems. Given the rise in the number of security incidents attributed to third party vendors, it is recommended that dealers exercise strong due diligence and develop clear vendor performance policies.
Incident Planning Guide
The Incident Planning Guide is designed to assist dealers with developing internal response plans and protocols in the event of a cyber attack. It notes that incident response planning should be prioritized based on the types of risks the organization is most likely to face, in addition to those that have the potential for the greatest impact on the firm, its relationships, and its reputation.
Of particular interest are the appendices which provide (i) a list of recommendations for implementing a cybersecurity incident response capability (which is modeled after NIST’s Computer Security Incident Handling Guide), and (ii) a 10-step guide outlining how to respond to a cyber incident in the event where an organization was not fully prepared.
While the two documents released by IIROC are not designed to establish minimal industry standards and the recommendations they contain are entirely voluntary, these guides are excellent starting points for dealers wanting to mitigate their risk exposure when it comes to cyber threats.
The guides are also helpful in that they recognize that IIROC regulated firms vary in size and in terms of resources that may be available to them to ensure that appropriate cybersecurity measures are in place. Nevertheless, they provide helpful benchmarks for smaller dealers, allowing them to situate themselves vis-à-vis their industry peers.
Further, these documents underscore the fact that cyber threats now pose an important risk to the stability of IIROC regulated firms, the integrity of Canadian capital markets, and the protection of investor interests. IIROC felt that in the absence of any mandatory minimal cybersecurity standards, it had to issue these guides as a way to assist its members in minimizing their cyber exposure.
We anticipate that cyber attacks will continue to increase in frequency, sophistication and scale in 2016. Dealers should consider revisiting their cybersecurity policies, conducting employee refresher training on potential cyber threats, and stress testing their cyber incident response plans.