Debating regulators’ role in cybersecurity

Yet, no one is sanguine about cybersecurity. In fact, many survey participants who said that regulators’ efforts are adequate don’t expect regulators to ensure firms in the industry have strong security; ultimately, they believe, that responsibility lies with the industry itself. Indeed, several COs and company executives said that cybersecurity now is the issue that’s most likely to keep them up at night.

“Cybersecurity is the thing I’m worried about most as a chief compliance officer [CCO],” says a CCO at a large, full-service dealer in Ontario. “That’s at the top of the agenda because a serious data breach or cybersecurity issue can be catastrophic and all-consuming when it happens.”

A CO at an exempt-market dealer in Alberta warned that the issue is particularly critical for the industry’s smaller firms, which may not have the resources to guard against the threat: “I believe that cybersecurity in small and medium firms is probably one of the biggest weaknesses out there. And the problem is that from a cost perspective, the only option for [those firms] is to try to plug holes.”

Given the magnitude of the concern, several survey participants want more from regulators. Notably, they complained that the authorities’ efforts to date have been too vague and at too high a level. Instead, firms’ COs and company executives want specific feedback from regulators about just what companies should be doing to ensure their cybersecurity.

According to a company executive at an investment dealer in Ontario, the Investment Industry Regulatory Organization of Canada’s (IIROC) survey on industry preparedness last year wasn’t useful: “[IIROC] came back with findings that were entirely generic. By the time the results came out, the questions were answered.”

“[The Ontario Securities Commission (OSC) is] just way behind,” says a CO at a portfolio-management firm in Ontario. “Any staff notices addressing cybersecurity give no answers or guidance; they just kind of tell us to have cybersecurity policies in effect.”

A CO at an investment-management firm in Ontario added that the OSC has provided the industry with “Cybersecurity 101, but no actionable items.”

That’s not enough for those who said they need concrete direction from the regulators about what companies should be doing to shore up their cyberdefences.

“[The Mutual Fund Dealers Association of Canada’s (MFDA)] focus really is just asking you what you’re doing, as opposed to setting acceptable standards. [Staff at the MFDA] aren’t providing any guidance; they’re merely telling you that you better have something in place. So, [cybersecurity] is potentially an issue,” says a CCO at a large mutual fund dealer in Ontario. “[The MFDA] is just setting you up to point the finger back at you when something does go south. [The regulator] is insulating itself, but not aiding in any way to provide protection.”

Indeed, cybersecurity appears to be one area in which some in the industry would welcome new rules. A CO at an investment-management firm in Ontario pointed out that several U.S. states have introduced laws that set minimum cybersecurity standards and “we need that here.”

According to the CCO at a portfolio-management firm in Ontario, regulators should be providing the industry with concrete requirements in this area: “What are we looking for? What should we be doing to protect ourselves? I don’t think [regulators’ guidance] is prescriptive enough.”

However, there are signs that regulators are stepping up their efforts. In particular, some survey participants said that IIROC is doing better than other Canadian regulators regarding cybersecurity.

“IIROC has released some good guidance on this. And a lot of Canadians, especially compliance officers who don’t even work under IIROC [such as myself], have been following its guidance to develop [cybersecurity] policies,” says a CO at a portfolio-management firm in Ontario.

Yet, several survey participants questioned whether cybersecurity is something that regulators can be expected to do much about. These COs and company executives view cybersecurity as a critical problem that nevertheless should be left primarily to the industry’s firms to address.

“I don’t know if [regulators] have the means and the tools to provide that type of security,” says a CO with a full-service dealer in British Columbia. “I don’t know if that’s within [the regulators’] mandate. I don’t know how they could even do that.”

To some survey participants, the best that can be expected of the regulators is that they raise awareness within the investment industry about the importance of guarding against cyberthreats and provide oversight of critical market infrastructure – such as exchanges and clearing and settlement systems – to ensure they’re taking proper precautions.

“The primary responsibility lies with the participants in the investment industry,” says a CCO with a large, full-service dealer in Ontario. “A regulator can check [on firms’ efforts], but market participants [must] ensure they’re taking the steps to protect investors and their data.”