Regulators are guiding investment firms with sound principles, but putting them in place is a challenge

By Danny Bradbury | Mid-November 2016

Canadian investment firms are under pressure to bolster their cybersecurity in the face of mounting risks. But these firms face significant challenges as they prepare themselves to protect their clients' information from data thieves.

A survey of 1,015 U.S. financial advisors jointly commissioned by Omaha, Neb.-based TD Ameritrade Corp. and the Denver-based Financial Planning Association (FPA) in September found that many advisors are behind the curve in their cybersecurity preparedness.

Specifically, four in five survey participants view cybersecurity as a critical issue, but fewer than one in three felt fully prepared to manage and mitigate their cybersecurity risk. Similar results would apply to Canadian advisors, according to representatives of TD Ameritrade and Absolute Engagement, the latter of which conducted the survey.

Yet, as cyberattacks become an increasingly visible danger to financial services companies, regulators are focusing their lens on the issue, issuing guidelines to help advisors and firms prepare themselves for an increasingly threatening digital environment.

Laura Payne, information security advisor, information security services, at Toronto-based Bank of Montreal (BMO), says the bank is seeing increased focus on cybersecurity protection by various regulatory bodies. "We are seeing more frameworks being leveraged across multiple bodies," she says, "and increased collaboration."

A sea of guidelines

Many regulators seek to guide members, but one of the most comprehensive national cybersecurity guidelines for the Canadian investment industry has come from the Investment Industry Regulatory Organization of Canada (IIROC).

IIROC published two papers in December 2015: a best practices guide for cybersecurity and an incident planning guide to help companies prepare for data breaches. Last month, IIROC sent out self-assessment surveys to member firms on which they graded their cybersecurity preparedness.

IIROC's cybersecurity guide draws on a variety of cybersecurity frameworks, including one from the U.S. National Institute for Science and Technology, and provides detailed information on key security principles, including preventing insider threats, and conducting cybersecurity awareness training and threat assessment.

At the international level, the Committee on Payments and Market Infrastructures and the board of the International Organization of Securities Commissions released their Guidance on cyber resilience for financial market infrastructures in June.

This document, designed to create an international standard that can be adopted on a country basis, focuses on principles such as sound governance, including attention to cybersecurity risk.

Awareness of the risks is something that Toronto-based mutual fund giant CI Investments Inc. takes seriously, says Raj Sivarajah, the firm's vice president of information technology (IT) risk.

"Everyone gets information through the media in general, and recent attacks do raise awareness," Sivarajah says. "But education plays a tremendous [role] in understanding the risks out there."

CI's IT risk team educates senior managers regarding the types of cyberattacks that exist and their potential impact on the organization. In 2015, the firm published several cybersecurity training videos for all levels of staff.

The company follows up its formal training initiatives with mock attacks to help test staff preparedness. Every quarter, the IT risk team sends out fake phishing spam - emails normally sent by attackers to steal employee passwords - to see which employees open them. "We have seen the trend improve over time," Sivarajah says.

The cybersecurity rules in some other financial services businesses are far more detailed and prescriptive than those from investment industry regulators.

The Payment Card Industry Security Standards Council Data Security Standard, which applies to any company processing credit card information, dictate many specific requirements surrounding retail IT infrastructure, for example, and impose fines for companies that don't comply.

Compared with that regime, the cybersecurity guidelines issued by investment industry regulators seem relatively high-level.

However, high-level guidelines are not a bad thing, argues Payne: "We do see a lot of principles-based regulation, which is the right approach. Trying to create regulations that have longevity in a field changing as quickly as cybersecurity is an enormous task."

The other notable characteristic of regulator guidelines is that none of them are mandatory. (IIROC and the Mutual Fund Dealers Association of Canada [MFDA] are self-regulating.)

The Canadian Securities Administrators (CSA) reported in its September 2016 Staff Notice 11-322 on cybersecurity that the issue is a priority in the CSA's 2016-19 business plan. CSA members will be re-examining the cybersecurity assessments and disclosures made by some larger securities issuers and publishing the results.

More broadly, however, the CSA points to IIROC's guidelines and suggests that regulated entities adopt an appropriate cybersecurity-related framework.

The reputational and operational damage from a data breach, along with the financial impact, should be enough to encourage adoption of those guidelines, says Wendy Rudd, IIROC's senior vice president for member regulation and strategic initiatives.

"We expect firms to adopt current guidance voluntarily and maintain adequate cybersecurity frameworks in place - founded on governance, preventative controls, detection controls and business continuity plans - that are tailored to the specific business model of their firm," she adds.

Difficult challenges

Advisors face several difficult challenges as they attempt to follow guidelines from investment industry regulators.

"We believe the proliferation of [Internet-accessible] devices and their increased use by firms and their clients is one of the biggest challenges facing firms," Rudd says.

The TD Ameritrade/FPA survey found that only 50% of companies had policies governing the use of devices such as laptops, tablets and smartphones.

Another challenge is lack of in-house expertise, says Susan Copland, managing director with the Investment Industry Association of Canada (IIAC) in Vancouver: "Not all members have in-house expertise to deal with this. [The challenge is in] finding outsourced resources to help them comply, because [cybersecurity] can get technically complex."

Sharing information can help here, she adds. Sharing experiences of security incidents and best practices can help investment firms learn from others in their community.

Information-sharing efforts haven't gained the traction they need among Canada's investment firms, adds Copland, who points to the Financial Services Information Sharing and Analysis Center, a U.S.-based information- sharing group for the financial services sector that numbers Canada-based companies among its members, as a popular resource for Canadian investment companies.

Smaller firms

Regarding IIROC members' self-assessments, Copland says, there is room for improvement, especially among smaller firms. Ensuring the security of third-party services vendors can be difficult, especially when those vendors are linked to an investment firm's systems, she says. The IIAC and IIROC are creating a working group to address that issue, she adds.

Larger companies have more resources to prepare for threats in cyberspace. For example, BMO, an organization with many operations other than investment services, can draw on a larger body of cybersecurity policy and practice when protecting clients, Payne says: "The work we do in one space can be leveraged across multiple spaces."

Cybersecurity is an incremental process, in which mature IT security teams constantly refine and enhance their processes, she adds. Indeed, in a category as fast-moving as cybersecurity, constant re-evaluation is crucial.

"The strategies keep getting broader and deeper, and the reason is that the threat is getting more widespread," Payne says.

All companies, whether large or small, have one thing in common: they have a finite budget for cybersecurity; and, in many cases, it isn't that large. In fact, the TD Ameritrade/FPA survey found that one in five firms hadn't invested anything in cybersecurity internally and that another 44% had spent less than $5,000. The figures were similar for investments in external cybersecurity services.

Clearly, understanding where to invest scarce funds for maximum protection is important, says Payne: "You have to understand the threats so that you can invest your dollars where they make sense."

Consequently, any financial services firm grappling with cybersecurity regulations should begin with a comprehensive risk analysis, she adds: "Part of the equation is that there's a shortage of security talent in this industry, so you need to put your best people on solving the most important problems."

Where are those risks coming from? An MFDA bulletin released this year points to three main risks, citing surveys by the Financial Industry Regulatory Authority Inc. in the U.S. in 2011 and 2014: hackers penetrating company systems; insiders compromising firm or client data; and operational risks.

Payne refines the first risk, suggesting "without a doubt" that the top threat to financial services firms is organized crime.

Attackers are becoming more sophisticated. Thus, the onus is on investment industry firms to step up and protect themselves. Regulators have provided a wealth of information; now, it's up to companies and other regulated entities to do their part.

© 2016 Investment Executive. All rights reserved.