A cybersecurity breach uncovered by the Canadian Investment Regulatory Organization (CIRO) last month potentially exposed extensive personal information about financial advisors and other industry personnel. The incident is sparking concern among affected advisors, and raises questions about the security of the industry’s sensitive data.
Advisors warned that their information was compromised in the breach, discovered by the self-regulatory organization on Aug. 11, are reporting that their data is turning up on the dark web.
For instance, one advisor reports that after signing up to the risk mitigation services offered by CIRO in response to the breach, he immediately received an alert from Equifax reporting that his work email address was being used on a “fraudulent” online trading site.
The SRO is providing two years of risk mitigation services (identity theft protection and credit bureau monitoring) with both TransUnion and Equifax.
Indications that the misappropriated data may already be circulating highlights the urgency for those affected by the breach to sign up for the risk mitigation services offered by the SRO. The scale and scope of the breach, which not only affected every firm (past and current) that belongs to CIRO, but includes data that goes far beyond the sort of information that’s typically involved in data breaches, underscores the need for reps to protect themselves.
The detailed registration data that may be impacted by the breach includes rep names, addresses, email addresses, birthdates and even physical attributes, including hair and eye colour, height and weight. It may also extend to other sensitive information, such as passport numbers and financial information that’s required by the registration process (securities and derivatives disclosure, financial solvency disclosure and outside business activity). Notes from regulatory investigations, and civil and criminal disclosures may also be in the mix.
Given that some of the information exposed goes beyond the kind of data that’s typically involved in a cyberattack, some reps have expressed concerns about the adequacy of the SRO’s response to the breach.
CIRO has defended its risk mitigation offerings. In an online FAQ document on the incident, it says, “What we’re offering in terms of risk mitigation is considered best practice.”
It advises that reps whose passport numbers may be included in the breach don’t have to replace their travel documents, but says, “if you become aware that your passport number is being misused, you should report it to the government immediately.”
It’s not clear how a rep would know whether their passport number was being misused, or if the notes compiled in an investigation are being exploited. Neither is likely to show up on a credit report. It remains to be seen if there will be more fallout from the incident.
IIROC’s 2013 breach
When CIRO predecessor, the Investment Industry Regulatory Organization of Canada (IIROC), suffered a security breach in 2013 — after an employee lost a laptop containing the personal information of investors — a class action suit over that incident was ultimately unsuccessful.
In 2021, the Quebec Superior Court dismissed a proposed class action on behalf of affected investors, which sought damages for the harm (stress, worry, inconvenience, etc.) that clients suffered due to the loss of personal information, damages for potential identity theft and punitive damages against IIROC, alleging that it was negligent in its handling of the incident.
The court ruled that the harm inflicted on investors didn’t justify compensation, and that it represented normal inconveniences “that any person living in society encounters and should be required to accept.”
It also found that there was no evidence that the compromised information was misused, that the regulator “reacted diligently” and shouldn’t face punitive damages.
That said, the CIRO breach is fundamentally different. An incident that involves an employee losing a device containing sensitive information is not the same as an external cyberattack.
Nevertheless, the episode raises questions about regulator cybersecurity. Indeed, this exposure of sensitive personal information comes just months after the provincial regulators delegated broader authority for registration to CIRO — dramatically expanding the SRO’s responsibility for registration.
As part of the move to delegate more of the registration function to the industry SRO, provincial regulators promised enhanced oversight of the agency. Under the terms of CIRO’s recognition order, the SRO was already required to ensure the security and integrity of the information and data contained in its systems. It was also obliged to report any material security breach to the provincial regulators.
A clean bill of health
The provincial regulators’ most recent oversight review largely gave CIRO’s IT systems a clean bill of health. That review singled out the SRO’s IT systems as one area to be examined in the review, citing the elevated risk posed by these kinds of systems.
Yet, the Canadian Securities Administrators’ (CSA) report on its review, which was published in July, found CIRO was in compliance with the terms of its recognition orders when it came to its critical technology systems, and its arrangements with outside service providers.
While that review did flag a concern with certain data passing through servers based in the U.S., the review said the data didn’t include any personal information, and was non-confidential “performance-indicator related data.” It also noted the practice of allowing data to move through U.S.-based servers was slated to end in July.
As for the recent data breach, the CSA has been responding to the incident too.
“While CIRO is leading the response to the cyber incident, the CSA continues to oversee CIRO’s efforts as part of our oversight role. CIRO is keeping the CSA informed of the actions it is taking, and the progress of its investigation,” reported Ilana Kelemen, senior strategic advisor, communications and stakeholder relations at the CSA.
Additionally, she noted that the CSA “took additional precautionary steps to keep its national systems protected” once the breach was discovered — undertaking a security review to detect any suspicious activity on its own systems. Nothing was found, it said.
While much of the registration information held by CIRO was potentially compromised, the National Registration Database wasn’t impacted, it found.
Finally, the Office of the Information and Privacy Commissioner of Ontario (IPC) said that while the CIRO breach was not reported to its office, it has contacted the Ontario Securities Commission (OSC) for more information on the incident.
SROs aren’t required to report data breaches to the IPC, but provincial institutions, including Crown agencies such as the OSC, are required to report breaches that pose a risk of “significant harm.” In this case, the compromised data was collected under powers delegated to the SRO by the OSC.