IIROC aiming to beef up cybersecurity

On April 11, IIROC reported it had lost a mobile device containing client information from 32 investment-dealer firms. IIROC has refused to name the firms or clients involved. However, spokespeople for several of these firms, including Montreal-based National Bank Financial Ltd. (NBF) and the online brokerage arm of Toronto-based Bank of Nova Scotia, have indicated that some of their clients are among those affected.

“We have strict policies in place that require all information we collect to be protected, which should have prevented this unfortunate incident,” says Becker in an email response to Investment Executive. “IIROC immediately launched a comprehensive review to strengthen IIROC policies and internal controls relating to our IT security environment, as well as the practices relating to the collection, sharing and safeguarding of confidential information.”

As part of IIROC’s security regime, there is password protection and encryption on all the mobile devices used by IIROC staff. However, the information that was on the lost mobile device – reported by industry sources to be a laptop – was not encrypted as per IIROC’s internal security policy.

“This was an isolated incident,” Becker says. “This device was password-protected but, contrary to our security policy, was not encrypted.”

But passwords and data encryption are only part of the security measures that financial services organizations should be looking at, says Larry Keating, president and CEO of No Panic Computing, a Markham, Ont.-based firm that specializes in data protection.

“The financial services industry is a huge target for cybercriminals,” Keating says, “because of the type of information that is obtained – especially health-care information that is found on insurance applications. Just having a protected password is no longer enough; you also need to be monitoring those devices 24/7 to ensure those passwords remain protected.”

In addition to strong data encryption, Keating also suggests any organization that handles personal client information should install remote data destruction (now a priority for IIROC) and incorporate remote monitoring of mobile devices (which would detect a security breach instantly) and integrated biometrics (e.g., fingerprint scans).

IIROC says that it is not moving toward installing biometrics, as the technology is not commonly used.

Remote data destruction will enable IIROC to locate a device once it is lost or stolen, as well as shut it down remotely, says Keating: “[The stolen device then] will be a useless device.”

IIROC says there has been no indication of third parties attempting to access the information to date. But, Keating says, that doesn’t necessarily mean the regulator is off the hook; organized criminal groups can sit on information for years.

Although IIROC has not confirmed what data were on the portable device, NBF was told the data were client names and client account numbers.

In Ontario, the Office of the Ontario Privacy Commissioner (OPC) has set a high standard for organizations to follow regarding “strong encryption.” And, Keating says, while the standards originally were developed for the health-care system, many organizations have been motivated to increase their security standards.

The standard has eight criteria, including having strong passwords, biometric fingerprint readers and USB fobs for mobile devices such as laptops.

Currently, IIROC’s encryption system follows all eight criteria; however, the lost device did not. Still, IIROC does not fall under the OPC’s jurisdiction or that of the Office of the Privacy Commissioner of Canada.

© 2013 Investment Executive. All rights reserved.