IIROC is providing all dealer member firms it regulates
(Firms) with a confidential cybersecurity "report card" that
an individual assessment of the
Firm's cybersecurity preparedness program
a comparison of the Firm's
cybersecurity practices against the industry and other Firms of
similar size and business model
a list of cybersecurity areas to
which the Firm should be giving priority attention.
The report cards were generated based on the results of an
extensive assessment survey that Firms completed in June 2016. The
survey responses were benchmarked against a National Institute of
Standards and Technology cybersecurity framework that considers
governance, threat prevention, threat detection and threat response
and recovery criteria.
IIROC is also using the June survey results to assess the
adequacy of each Firm's cybersecurity policies and procedures.
Firms that are assessed as lagging their peers may face further
Cybersecurity is a key regulatory priority for IIROC and
All registered securities firms can expect continued and
heightened scrutiny of their cybersecurity policies and procedures.
As we discussed in our earlier blogs (IIROC 2016 Compliance Priorities and CSA Sets Out Priorities for 2016-2019),
cybersecurity preparedness is a key regulatory priority for IIROC
and the Canadian Securities Administrators
Recently, the CSA issued CSA Staff Notice 11-332 – Cyber
Security which further highlights the importance of
cybersecurity and communicates expectations that the CSA has of
market participants in this area, including the following:
Registered securities firms are expected
remain vigilant in developing,
implementing and updating their approach to cybersecurity
review and follow regulatory guidance
(e.g. IIROC and MFDA guidance).
Regulated entities (e.g. marketplaces, clearing
agencies, information processors) are expected to:
examine and review compliance with
ongoing requirements outlined in securities legislation, terms and
conditions of recognition, registration or exemption orders
have internal controls over their
systems and to report security breaches
adopt a cybersecurity framework
provided by a regulatory authority or standard-setting body that is
appropriate to their size and scale.
Public companies who have determined that
cybersecurity is a material risk are expected to:
provide detailed and entity-specific
cyber risk disclosure
address in any cyber-attack
how materiality of an attack would be
assessed, including the attack's impact on the company's
operations and reputation, its customers, employees and
whether and what, as well as when and
how, to disclose a cyber-attack.
In previous guidance (CSA Staff Notice 11-326 – Cyber
Security), the CSA also indicated that it expects
registrants to implement strong and tailored cybersecurity measures
in accordance with prudent business practice and to improve
information security, including by:
conducting third party testing and
regularly reviewing and updating
following industry guidelines and
Improving your firm's cybersecurity regulatory
Enhanced data protection measures and a robust breach response
protocol are key to discharging a registrant's regulatory
compliance obligations, but can also be a potential competitive
advantage that differentiates market-leading firms from the
All securities firms, and especially Firms that received a
lagging IIROC "report card", should carefully review
their cybersecurity policies and procedures. For more information
on how our cross-functional securities regulatory and cyber law
expertise may assist in this regard, please contact a member of our
Securities Regulation & Investment Products Group. For
additional insights on CSA Staff Notice 11-332, please see our
post on the CyberLex blog.
All corporations should be concerned with conduct risk in 2017. The threat of loss, both financial and reputational, due to the actions of one, or many, managers or employees is greater than it has ever been.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).