Cyber risk management is an increasingly important challenge for
organizations of all kinds. The Mutual Fund Dealers Association of
Canada ("MFDA"), the national self-regulatory
organization that oversees mutual fund dealers in Canada, has
published a Cybersecurity bulletin to help its members manage
cybersecurity risks. The Bulletin recommends using a Cybersecurity
Framework to proactively manage cyber risks and to prepare for
Cyber risks are risks of loss and liability (e.g. business
disruption, financial loss, loss to stakeholder value, reputational
harm, trade secret disclosure and other competitive harm, legal
noncompliance liability and civil liability to customers, business
partners and other persons) to an organization resulting from a
failure or breach of the information technology systems used by or
on behalf of the organization, including incidents resulting in
unauthorized access, use or disclosure of sensitive, regulated or
protected data. Cyber risks can result from internal sources (e.g.
employees, contractors, service providers, suppliers and
operational risks) or external sources (e.g. nation states,
terrorists, hacktivists, competitors and acts of nature).
Cyber risks are increasing in frequency, intensity and harmful
consequences as a result of various circumstances, including
increasing sophistication and complexity of cyber-attacks,
increasing use of information technology and data, increasing
regulation and increasing legal liability. Commentators have said
that there are only two kinds of organizations — those that
have been hacked and know it, and those that have been hacked and
don't know it yet.
MFDA's Cybersecurity bulletin recommends that
member dealers establish and maintain appropriate cybersecurity
procedures, controls and risk management techniques, using people,
processes, tools and technologies, to adequately protect
information technology devices/systems and data from attack, damage
and unauthorized access. The Bulletin explains the need to focus on
three fundamental goals: (1) confidentiality of information; (2)
integrity of information assets; and (3) availability of
information technology devices/ systems and data.
The Bulletin recommends that member dealers develop a
Cybersecurity Framework that has five basic functions: (1) identify
important assets and related threats/risks; (2) protect assets with
appropriate safeguards; (3) detect intrusions, breaches and
unauthorized access; (4) respond to a cybersecurity event; and (5)
recover from a cybersecurity event. The Bulletin identifies some
basic issues for consideration when developing a Cybersecurity
A governance and risk management
framework, including involvement of directors and senior
Managing insider risks from new,
current and departing employees and contractors.
Physical security for human,
environmental and supply chain threats.
Cybersecurity awareness (including
mandatory on-going training for all personnel) and cybersecurity
Regular threat assessments and
Network security measures, including
multi-layered defences and restricted access.
Technologies and practices to protect
information systems, including data backup and recovery,
anti-malware solutions and device controls.
User account management and access
Information technology asset/device
Cyber incident response plans.
Information sharing and breach
Vendor risk management and
The Bulletin identifies some foundational resources, including
guidance issued by Investment Industry Regulatory Organization of
Canada, Financial Industry Regulatory Authority, Canadian
Securities Administrators, Government of Canada and the U.S.
National Institute of Standards and Technology.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).