Just before the holidays, the Investment Industry Regulatory Organization of Canada (“IIROC”) – a national organization that regulates securities dealers operating in Canada - released two cybersecurity guides to assist dealers manage their cybersecurity risks and to effectively respond in the event of a cyber incident.
The two documents focus on different aspects of cybersecurity:
Best Practices Guide
The Best Practices Guide identifies specific cybersecurity threats (e.g., hackers penetrating firm systems, insiders compromising firm and client data, and operational risks) and recommends that dealers develop strategies unique to their business to increase their overall cyber resiliency profile.
The four key takeaways from the Best Practices Guide can be summarized as follows:
Incident Planning Guide
The Incident Planning Guide is designed to assist dealers with developing internal response plans and protocols in the event of a cyber attack. It notes that incident response planning should be prioritized based on the types of risks the organization is most likely to face, in addition to those that have the potential for the greatest impact on the firm, its relationships, and its reputation.
Of particular interest are the appendices which provide (i) a list of recommendations for implementing a cybersecurity incident response capability (which is modeled after NIST’s Computer Security Incident Handling Guide), and (ii) a 10-step guide outlining how to respond to a cyber incident in the event where an organization was not fully prepared.
While the two documents released by IIROC are not designed to establish minimal industry standards and the recommendations they contain are entirely voluntary, these guides are excellent starting points for dealers wanting to mitigate their risk exposure when it comes to cyber threats.
The guides are also helpful in that they recognize that IIROC regulated firms vary in size and in terms of resources that may be available to them to ensure that appropriate cybersecurity measures are in place. Nevertheless, they provide helpful benchmarks for smaller dealers, allowing them to situate themselves vis-à-vis their industry peers.
Further, these documents underscore the fact that cyber threats now pose an important risk to the stability of IIROC regulated firms, the integrity of Canadian capital markets, and the protection of investor interests. IIROC felt that in the absence of any mandatory minimal cybersecurity standards, it had to issue these guides as a way to assist its members in minimizing their cyber exposure.
We anticipate that cyber attacks will continue to increase in frequency, sophistication and scale in 2016. Dealers should consider revisiting their cybersecurity policies, conducting employee refresher training on potential cyber threats, and stress testing their cyber incident response plans.