Canadian financial services firms and advisory businesses should establish plans to protect their operations from cyber security threats, according to Ian Russell, president and CEO of the Toronto-based Investment Industry Association of Canada.
"There is no way to make your company completely hack-proof, but you can establish systems in your organization to guard against most threats and, when one makes it through, you can deal with it quickly and efficiently before it does significant damage," Russell told the 2015 Distinguished Advisor Conference in Puerto Vallarta on Monday.
Firms need to be cyber resilient, he said, and that means they need a cyber security program. He highlighted a number of critical elements that ought to be in place in order to create an effective program. Among them:
> Governance and risk management
Governance is a commitment from the top of the firm — its CEO and board of directors — to the creation, implementation and maintenance of a cyber security program. "This is where the buck stops and starts," Russell said, noting that the program should be ordained from the top "and hardwired through the entire firm." The plan must encompass key business and operational areas of the company.
In terms of risk assessment, firms need to determine the assets that are vital to the company and that might be valuable to others. Once they have have identified these assets, they need to understand all the ways these assets are exposed and how potential wrongdoers can get at them. As part of this assessment, firms should undertake vendor due diligence — checking on those third parties that have direct or indirect access to the firms' systems to ensure that the third parties themselves have reasonable cyber security measures in place. "[Third parties] can be used as an entry point — or vector — into your system," he said.
> Establish technical controls
One effective tactic here is access control, which relates to who can get what information in an organization. It is critical that only those who truly need access to critical information are able to get it, Russell said. One measure to help ensure that the right people get the data they need is to require individuals to go through more than one layer of security to access specific information.
"It is also critical to test your system to find holes in your security efforts," he said. This should be done with internal and external experts, he said. "Often external people will find vulnerabilities that you thought you had covered off."
> Develop an incident response plan (IRP)
This can be put into action when a breech occurs and can help ensure that the problem is isolated and eradicated as soon as possible. The IRP outlines steps that must be taken when a hack is discovered — it assigns specific tasks to specific people and sets out the order in which these jobs are to be undertaken. "If you don't have plan, valuable time will be wasted trying to figure out who should be doing what," he said.
> Train staff
Sometimes disgruntled staff is behind security threats, but more often staff is unknowingly used as a means to gain access to a company's system — for example, an infected email that is opened by someone in the firm. "If staff does not knows what to look for, they can inadvertently file something into system that can sit there for months gathering data or waiting till the best time to attack the firm" he said. "Let staff know about the most current cyber threats out there so they will less likely to fall victim to them."
> Share information
One way to keep on top of cyber security threats is to share information by subscribing to an information sharing service. There are a variety of these services geared to specific industries.
> Investigate cyber insurance
Coverage is very specific to the firm's risk profile and what sort of events the firm wishes to have covered. "This is a new area of insurance," Russell said, "and it is worth comparing coverage and cost as [these] can vary widely among the providers."