Survey results show improvement in training, incidence response plans and third-party risk assessment
April 2, 2019 (Toronto, ON) – Canadian investment firms have taken concrete steps to put in place appropriate cybersecurity measures to manage threats and protect their clients and businesses, according to a survey completed by all firms regulated by the Investment Industry Regulatory Organization of Canada (IIROC).
The survey, completed in November 2018, measured each firm against the National Institute of Standards and Technology (NIST) cybersecurity framework. The NIST framework focuses on governance, as well as security, vigilance and resilience of each firm. IIROC has reported individual results to all firms, with recommendations on any gaps in cybersecurity capabilities that should receive priority attention. This was the second survey, following one conducted in 2016.
- Nearly all firms (94%) assess third parties for potential cyber risks before entering into a contract – up from 70% in 2016
- 82% of firms conduct cybersecurity training at least annually – up from 56% in 2016
- 72% of firms have an incidence response plan – up from 53% in 2016
- More than half (55%) of firms have purchased a cyber insurance policy – up from 37% in 2016
- Between 2016 and 2018, the number of firms at a high risk of experiencing a cyber threat decreased – with smaller firms contributing the most to this decrease
Insights from the survey provide firms with areas to further improve upon their cybersecurity preparedness, such as performing privacy risk or impact assessments, as well as monitoring the dark web for intelligence related to their organizations.
“IIROC works closely with firms to manage cybersecurity risks and protect data, as a part of our mandate to protect investors and enhance market integrity,” says Louis Piergeti, IIROC’s Vice-President of Financial & Operations Compliance. “Seeing the marked increase in the number of firms that have made meaningful improvements to their cybersecurity programs demonstrates that firms are serious about protecting their clients from future threats.”
IIROC, in collaboration with Accenture, last month published a report titled “Enabling the Evolution of Advice in Canada” which was the result of an extensive consultation conducted to better understand how the wealth industry is evolving to meet investor needs and how regulation can better accommodate innovation. For this reason, IIROC is committed to continued engagement with investment firms as they adapt to industry transformations and innovations in technology – such as cybersecurity programs.
IIROC has also proposed a rule requiring mandatory reporting of cybersecurity incidents, which would help determine whether firms need guidance on how to assess and address any potential liability. IIROC would also be able to determine whether the information yielded any insight or intelligence that could help improve the industry’s overall preparedness.
Also, in 2018, IIROC hosted day-long table-top test scenarios geared toward small and medium-sized firms. Participants role-played to respond to crises, such as ransomware attacks, data leakages and third-party information breaches. At the end of the test scenarios, experts in cybersecurity, regulation and law provided guidance and recommended cost-effective solutions.
IIROC has also published a Cybersecurity Best Practices Guide for firms and their advisors.
IIROC is the national self-regulatory organization that oversees all investment dealers and their trading activity in Canada’s debt and equity markets. IIROC sets high quality regulatory and investment industry standards, protects investors and strengthens market integrity while supporting healthy Canadian capital markets. IIROC carries out its regulatory responsibilities through setting and enforcing rules regarding the proficiency, business and financial conduct of more than 170 Canadian investment dealer firms and their more than 29,000 registered employees, the majority of whom are commonly referred to as investment advisors. IIROC also sets and enforces market integrity rules regarding trading activity on Canadian debt and equity marketplaces.