Amid the fallout of losing 52,000 client records, the Investment Industry Regulatory Organization of Canada (IIROC) is conducting a review of its security policy that will also dig deeper into the regulator’s overall information-management structure, said Susan Wolburgh Jenah, IIROC’s president and CEO, in an exclusive interview with Investment Executive.

“From the time the incident happened we began to look at our own internal process and to identify any areas where we believe we can improve,” said Wolburgh Jenah. “From the perspective of policies, protocols, information management at the business level, how we receive information from the firms we regulate, how we store it, as well as how we dispose of information, we are looking at the whole mix of information technology (IT), but we are also looking at information management, which is a much broader topic.”

On April 11, IIROC reported it had lost a mobile device containing client information from 32 investment-dealer firms. As part of IIROC’s security regime, there is password protection and encryption on all the mobile devices that IIROC staff use. However, the information that was on the lost mobile device — reported by industry sources to be a laptop — was not encrypted as per IIROC’s internal security policy.

The ripple effect of IIROC’s data loss

Following the incident, IIROC hired a third-party expert to help conduct an internal review. The expert is currently working alongside IIROC’s senior executives, including Wolburgh Jenah, to compare the self-regulatory organization’s (SRO) current practices against industry-wide best practices. The review includes looking at various areas of IT, security mandates and information management and will be compared against the International Organization for Standardization (ISO) standards, says Wolburgh Jenah.

IIROC, which handles all security measures through its IT department, reported in April that the addition of remote data-destruction capability to its existing security regime was a top priority. However, IIROC is still pilot testing the technology that can provide this service and, thus, it has yet to be implemented. The SRO also reported it is still looking at the possibility of outsourcing devices and/or implementing integrated biometrics as part of its review.

“We are very anxious to get through this as soon as possible because we want to make sure that we — to the extent that there are things that we could be doing differently — are doing them. And we [want to] do them quickly,” added Wolburgh Jenah.

Expanding the security review to several areas within the organization is a typical practice and can take a few weeks to several months to conduct, said Larry Keating, president and CEO of No Panic Computing, a firm that specializes in data protection.

“The time it takes to undertake a policy change or security review varies significantly and depends on the nature of the security policy, size of organization and complexity of its computing environment,” added Keating.

In the meantime, Wolburgh Jenah has met with member firms across the country to respond to questions and concerns about the incident and to discuss the policies that will potentially be put in place.

“At the end of the day, people are human and people make mistakes,” she said. “So, I’m not going to sit here and guarantee that something couldn’t happen again. What we have to do is ensure that we have standards in place that meet best practices and that we are doing everything we can to train people and make them aware of the need for them to be a partner in safeguarding information and assets that come into our possession.”