As noted in IIROC’s Annual Compliance Report for 2014/2015, cyber-security continues to be a key issue for investment firms and for IIROC.
One aspect of advancing technology is that cyber-attacks are becoming more sophisticated, with potential for greater damage. For regulators and financial market participants, the increased efficiencies and improved capabilities of today’s information technology infrastructure come with incremental cyber-risks.
Given the increasing automation of, and interconnections among business functions, information and operational systems, an appropriate response to the challenge of cyber-security must take an enterprise-wide perspective and be part of each firm’s overall risk-management program.
We recognize that proactive management of cyber-risk is critical to the stability of IIROC-regulated firms, the integrity of capital markets and the protection of investors.
In February and March 2015, we surveyed IIROC-regulated firms to collect information concerning their assessment of their cyber-security preparedness.
In March 2015, we conducted a “table-top” exercise with a cross-section of firms to test their preparedness to deal with cyber-attacks. The exercise included coordination among firms and with regulators for sharing information to mitigate the impact of an attack, and protocols for updating clients and other stakeholders during such an emergency.
IIROC is using the results of the survey and test to assist in developing best-practice recommendations that can be applied by all IIROC-regulated firms, irrespective of size and business model, as well as an “incident response playbook”.
These materials will draw on input from firms (including the Investment Industry Association of Canada’s cyber-security working group) and other domestic and global financial services regulators, and will be made available in the fall of 2015.