cybersecurity of network of connected devices and personal data security, concept on virtual interface with consultant in background

The investment industry and regulators agree about the need for robust cybersecurity, but a recent proposal from the Investment Industry Regulatory Organization of Canada (IIROC) for reporting cyberattacks is running into resistance.

IIROC sounded the alarm about the growing threat of cyberattacks in March. In particular, the self-regulatory organization (SRO) focused on so-called “ransomware” attacks that target the industry. At that time, IIROC asked industry firms to report cybersecurity incidents to the SRO’s compliance division voluntarily. This move was intended to allow IIROC to assist firms in responding to active cyberattacks while also enabling the SRO to warn the rest of the industry about emerging threats.

Soon thereafter, IIROC proposed rules to establish mandatory reporting of cyberattacks. That proposal faces opposition from some firms in the industry; their submissions regarding the proposed requirements argue that they will create additional compliance costs for firms without much of a payoff in enhanced security. Submissions from some in the industry also raise concerns about how the information reported to the SRO will be used.

According to the Investment Industry Association of Canada’s (IIAC) submission: “While we appreciate that it is important that IIROC understand the threats facing the industry, it is not clear that the additional reporting, as it is structured, will provide benefits that exceed the costs to the industry.”

Submissions from critics of the SRO’s proposals warn that the proposed reporting obligations will duplicate existing reporting requirements that fall under both federal privacy rules and requirements imposed by the Office of the Superintendent of Financial Institutions (OSFI), a financial services sector’s federal regulator.

In addition, IIROC’s proposals define “cybersecurity incidents” much more broadly than OSFI does, which could both prompt duplicative reporting and require firms to report many more insignificant events – thus consuming both industry and regulatory resources needlessly.

Given these concerns, the IIAC’s submission recommends that securities regulators harmonize their reporting requirements with the existing federal rules or simply defer to those rules. Doing so will avoid creating a situation in which firms have to assess whether various reporting standards imposed by different organizations are being triggered, which then will require firms to make multiple reports to various entities regarding the same event.

Moreover, the IIROC proposal will require industry firms to report on each incident twice: first, within three days of an incident being discovered and again in 30 days to provide greater detail about the cyberattack.

The IIAC’s submission states that the requirement for the followup report will add to the burden created by the proposed requirements.

The proposed obligation to provide a followup report also sparked concern from the Securities Industry and Financial Markets Association (SIFMA), a U.S. industry trade group, whose submission questions whether these reports will affect possible litigation stemming from a cyberbreach and how the proposed reporting requirements might conflict with law enforcement.

SIFMA’s submission to IIROC’s proposal points out that dealers may have only limited information about a cyberattack at the 30-day mark, particularly if there’s a criminal investigation underway at the same time. Furthermore, SIFMA’s submission states, the U.S. trade group is “very concerned about the inevitable prejudice to the [dealer] that a premature analysis and assessment could yield by inviting unfair characterizations in later potential litigations.”

In addition, SIFMA’s submission suggests that IIROC must define more specifically the types of incidents it anticipates will trigger reporting requirements. SIFMA’s submission recommends that IIROC’s rules provide an exception from the requirements in cases in which regulatory reporting might hamper an ongoing criminal investigation. As well, imposing mandatory reporting obligations could divert a firm’s resources when it’s in the midst of combating a cyberattack.

Investment dealers’ submissions also question how the regulators will share the information that they collect from these reports with other authorities and the rest of the investment industry.

For example, Ottawa-based MD Management Ltd.’s submission states that the firm supports IIROC’s overall mission to collect information on cybersecurity incidents and to warn the industry about emerging new threats. However, the firm’s submission also points out the proposed rules don’t provide enough detail about just how the information received through these reports could be used.

Although MD Management’s submission states that the firm anticipates “great value in being a recipient of cyberthreat intelligence information” to help a firm assess the adequacy of its cyberdefences, MD Management is concerned about “the lack of clarity surrounding how the information reported to IIROC regarding a cybersecurity incident … would be shared with other parties, including other [dealers].”

There also is widespread concern that hackers and cybercriminals could exploit the information contained in these reports to adjust their tactics and improve their attacks. For example, MD Management’s submission states that the firm is worried “inappropriate disclosure of information regarding cybersecurity incidents could result in adversaries gaining knowledge of attacks that have been detected and the countermeasures that have been instituted.”

The IIAC shares these concerns: its submission warns that reckless sharing of information may alert cybercriminals to vulnerabilities in the Canadian financial services system, expose firms to legal liability or alarm clients needlessly, the last of whom may be concerned about their personal data being compromised.

To that end, several submissions from industry members call on IIROC to provide more clarity about just how the information collected in the proposed mandatory reports will be protected, how the information will be shared and with whom.