The CEO of the Canadian Investment Regulatory Organization (CIRO) says the industry’s “data ecosystem,” including data retention, will undergo a review.
“We need to reimagine what the data ecosystem looks like,” said Andrew Kriegler on Monday during opening remarks at the annual conference of the Federation of Independent Dealers (FID) in Toronto. “There will be more that CIRO has to say about this in a more formal sense in the months to come.”
In January, CIRO said about 750,000 Canadian investors were affected by the regulator’s data breach, which was detected last Aug. 11 and resulted from a phishing attack. Last fall, CIRO had confirmed that registrants’ personal information was hacked. That information may have included registrants’ height, weight and eye colour, among other sensitive data.
Kriegler also made his remarks in the context of dealers’ potential to scale using AI, and the associated cybersecurity concerns.
Kriegler said that forms for certifications and licensing, or government programs, have historically asked for personal data such as eye colour — a practice from “the paper days” that continued into the digital age, he said. Now, it is important to consider how the data ecosystem should evolve so that “the regulatory system, writ large, is able to get the information it needs to protect the public — but not more than that.”
He gave the example of a background check for a licensing application: does that check require the applicant’s personal details or simply a pass/fail result? “Depending on how you answer that question, the system will want or need to either access or retain vastly different amounts of information,” he said. “We have to ask ourselves those questions, as do you [dealers], for all of the information we collect from the people we deal with.”
In addition to the types of data that were stolen in the regulator’s breach, the regulator’s retention of data was called into question.
Data retention will be part of the review, Kriegler told the dealer audience. There are reasons to retain data for extended periods and reasons not to, he said.
“Where’s the social balance that has to be found between what is kept, what is not; what is collected and what is not,” he said. “Those are not easy conversations, and those are not easy decisions. But I think those are the decisions that we’re going to be thinking about with you over the months to come.”
The data ecosystem review is in the beginning stages and doesn’t yet have a timeline for rollout, Kriegler said.
He also said the review goes beyond CIRO and likely the provincial securities regulators. Further, “It extends into your [dealer] businesses and the relationships you have with your clients,” he said. “It also extends to the relationships you [dealers] have with service providers. And so, it’s a big conversation. But I think it’s a conversation we need to have.”
Following his public remarks, Kriegler told Investment Executive that investor advocates would “absolutely” be included in the data ecosystem review.