From the Regulators

A recent survey of 649 registered firms found that more than half experienced a cybersecurity incident in 2016

By James Langton |

 

More than half of registered firms have faced some sort of cyber incident in the past year, according to a survey conducted by the Canadian Securities Administrators (CSA).

The results of the survey of cybersecurity and social media practices of 649 registered firms — including fund managers, portfolio managers, and exempt market dealers — are summarized in a CSA staff notice published on Thursday.

The survey, which was conducted in Fall 2016, found that 51% of firms experienced a "cybersecurity incident" during the year. The most common sort of incident was phishing (43%), followed by malware attacks (18%), and fraudulent attempts to transfer funds or securities via email (15%).

The survey also found wide variation among firms in the scale and scope of their preparations to deal with cybersecurity issues. For example, although most firms have policies and procedures to address cybersecurity, only 57% have specific plans to ensure that they can continue to operate during a cybersecurity incident, and only 56% have policies for training employees about cybersecurity.

Additionally, while most firms perform risk assessments to identify cyberthreats, 14% of firms said that they do not. The survey found that 66% of firms have an incident response plan that is tested at least annually, but the frequency of testing varies widely, and many firms haven't done any testing, the CSA notes. Regulators also report that most firms (59%) do not have specific cybersecurity insurance.

Some smaller, or new, firms believe their cybersecurity risk is low, and so they have done little to develop policies or provide training to employees in this area, according to the survey. Other firms rely heavily on service providers to ensure security, the survey found.

"However, the financial industry is a known target of cyber criminals," the CSA warns in the staff notice. "Regardless of its size or functions outsourced, a firm should have cybersecurity policies and procedures, and in particular, a cybersecurity incident response plan that is tested on a regular basis."

In addition to assessing industry practices, the staff notice sets out guidance for the industry in various areas, including the sorts of internal policies and controls that firms should have to deal with these kinds of risks.

It also highlights the compliance and supervisory challenges for firms that use social media to communicate with clients and the public.

"Firms should consider cybersecurity risks associated with social media use," the staff notice says. "For example, information posted on social media sites, for business or personal purposes, may be used by attackers to gain entry into a firm's systems and obtain confidential information."

"Preparation is key to mitigating cybersecurity threats," said Louis Morisset, chairman of the CSA and president and CEO of the Autorité des marchés financiers, in a statement. "We encourage all firms to perform comprehensive risk assessments, and evaluate the strength of existing policies, employee training programs and response plans as they relate to vulnerabilities in these areas."

Photo copyright: maxkabokov/123RF