Just before the holidays, the Investment Industry Regulatory
Organization of Canada ("IIROC") – a national
organization that regulates securities dealers operating in Canada
- released two cybersecurity guides to assist dealers manage their
cybersecurity risks and to effectively respond in the event of a
The two documents focus on different aspects of
The Cybersecurity Best Practices
("Best Practices Guide") provides a framework of general
industry standards and best practices that dealers can apply to
manage cyber risks and breaches.
The Best Practices Guide identifies specific cybersecurity
threats (e.g., hackers penetrating firm systems, insiders
compromising firm and client data, and operational risks) and
recommends that dealers develop strategies unique to their business
to increase their overall cyber resiliency profile.
The four key takeaways from the Best Practices Guide can be
summarized as follows:
Cybersecurity is not exclusively IT's responsibility. Rather,
to ensure effective cybersecurity preparedness, strong leadership,
including engagement by the Board of Directors and senior
management, is required. The organization's leadership is
responsible for directing the implementation of a comprehensive
cybersecurity program and regularly overseeing its
Training. When it
comes to cybersecurity, while having the right technical defences
in place is important, minimizing human error is even more
critical. Effective and ongoing staff training will reduce a
dealer's exposure to cyber threats, such as spear phishing and
social engineering. Training should focus on fostering a culture of
procedural compliance, a questioning attitude and having a depth of
knowledge to identify potential threats to the organization.
IIROC recognizes that smaller dealers may not necessarily be
positioned to implement all of the best practices outlined in the
Best Practices Guide. Nevertheless, these best practices can serve
a benchmarking function allowing smaller dealers to situate their
efforts relative to industry standards.
Third Party Vendors.
It is common for dealers to use third-party vendors for services
which gives them access to sensitive firm or client information, or
access to firm systems. Given the rise in the number of security
incidents attributed to third party vendors, it is recommended that
dealers exercise strong due diligence and develop clear vendor
Incident Planning Guide
The Incident Planning Guide is designed to assist dealers with
developing internal response plans and protocols in the event of a
cyber attack. It notes that incident response planning should be
prioritized based on the types of risks the organization is most
likely to face, in addition to those that have the potential for
the greatest impact on the firm, its relationships, and its
Of particular interest are the appendices which provide (i) a
list of recommendations for implementing a cybersecurity incident
response capability (which is modeled after NIST's Computer
Security Incident Handling Guide), and (ii) a 10-step guide
outlining how to respond to a cyber incident in the event where an
organization was not fully prepared.
While the two documents released by IIROC are not designed to
establish minimal industry standards and the recommendations they
contain are entirely voluntary, these guides are excellent starting
points for dealers wanting to mitigate their risk exposure when it
comes to cyber threats.
The guides are also helpful in that they recognize that IIROC
regulated firms vary in size and in terms of resources that may be
available to them to ensure that appropriate cybersecurity measures
are in place. Nevertheless, they provide helpful benchmarks for
smaller dealers, allowing them to situate themselves
vis-à-vis their industry peers.
Further, these documents underscore the fact that cyber threats
now pose an important risk to the stability of IIROC-regulated
firms, the integrity of Canadian capital markets, and the
protection of investor interests. IIROC felt that in the absence of
any mandatory minimal cybersecurity standards, it had to issue
these guides as a way to assist its members in minimizing their
We anticipate that cyber attacks will continue to increase in
frequency, sophistication and scale in 2016. Dealers should
consider revisiting their cybersecurity policies, conducting
employee refresher training on potential cyber threats, and stress
testing their cyber incident response plans.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).