The Investment Industry Regulatory Organization of Canada (IIROC) on Monday published two resources to help investment firms protect themselves and their clients against cyber threats and attacks.
Cybersecurity Best Practices Guide sets out a risk-based framework of industry standards and practices that firms can follow to manage their cyber risks. The accompanying Cyber Incident Management Planning Guide aims to help firms prepare effective plans for responding to cyber attacks when they do happen.
“A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity,” the best practices guide stresses.
A well-trained staff represents the first line of defense against cyber attacks, it adds, and may avoid frontline staff being exploited to facilitate an attack. In addition, firms must manage the risks posed by their use of third-party vendors for certain services, the best practices guide says.
The incident planning guide aims to help dealers prepare internal cyber-incident response plans, which includes a set of voluntary cybersecurity strategies, guidelines, and tools aimed at small and mid-sized dealers. “These can be used to help develop a cybersecurity incident response capability and to respond effectively to incidents,” the incident planning guide says.
“Any institution that has public facing (or Internet facing) operations should consider itself at risk of a cyber breach. It is therefore critical that all organizations – regardless of size – harden their cyber defences in proportion to the sensitivity of their information assets,” the incident planning guide says.
The new sets of guidance do not create any new legal or regulatory obligations, or alter firms’ existing obligations, the incident planning guide notes.
“Active management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors,” says Andrew Kriegler, president and CEO of IIROC, in a statement. “That is why we consulted with the industry, engaged security experts and developed concrete resources to help firms better manage their cyber risks.”
IIROC developed the guides with the assistance of an outside consulting firm, Toronto-based Juno Risk Solutions Inc. The guides follow from previous work self-regulatory organization (SRO) conducted including a survey of its membership, a table-top exercise, as well as input from industry representatives.
The SRO that it is also developing a program to work with dealers to increase their cybersecurity preparedness.