COVID-19 and Cybersecurity – Remote Access Services

Type: Education Notice
Distribute internally to:
Corporate Finance
Internal Audit
Legal and Compliance
Regulatory Accounting
Senior Management
Trading Desk


Suzanne Lasrado
Senior Manager, Financial & Operations Compliance
Ryan Li
Director, Information Security

This Notice is for IIROC Dealer Members who use remote access services (e.g. Virtual Private Network – VPN, remote desktop, etc.) to support work from home arrangements.

Over the last couple of months, IIROC has issued Notices to firms and to advisors and employees to alert them to increased cybersecurity threats related to the pandemic.

We continue to see evolving cybersecurity threats, this time related to the use of remote access services with attackers increasingly targeting and exploiting its vulnerabilities.


Remote access service vendors have advised that potential vulnerabilities are being leveraged to gain access to internal networks of various organizations. Attackers have been observed actively scanning for vulnerable configurations. Once access is gained, attackers can remain undetected and will look to obtain additional privileges to launch future attacks such as ransomware or data exfiltration.

What to do?

Firms must continue to apply general security precautions and actions to all computing resources with vigilance to external facing components such as remote access services.

We strongly recommend that your Information Technology department or services provider does the following:

  1. Patch all systems – ensure security patches and secure configurations are applied in a timely manner according to vendor recommendations.
  2. Monitor network environments – continue to monitor your environment for any anomalous behaviour (e.g. brute force attacks, irregular login/network activity, etc.). Take immediate action including password resets for any suspected breaches.
  3. Implement multi-factor authentication (MFA) – ensure MFA is implemented and enforced for all users when logging in from an external network.
  4. Install anti-virus/anti-malware solutions and updates – ensure anti-virus/malware tools are in place and up to date with the latest indicators of compromise on servers, end points, and network.

Other resources

Further information and resources on managing cybersecurity threats, including guides and webinars, are available on IIROC’s cybersecurity site.

MFDA and IIROC have consolidated

As of January 1, 2023 the MFDA and IIROC have come together as New Self-Regulatory Organization of Canada (New SRO).

New SRO has assumed the regulatory responsibilities of the MFDA and IIROC.

We have set up an interim website for updates and information related to the New SRO including:

  • Executive Management
  • Governance
  • New SRO Rules
  • Member Application
  • Investor Office and the Investor Advisory Panel
  • Information concerning mutual fund dealers registered in Québec
  • Complaints
  • Careers

Enforcement proceedings, membership lists, continuing education, investor education resources and any other information not set out above continue to reside on and