Watchdog tightens stance on cybersecurity offences
TORONTO The Canadian watchdog for investment dealers has toughened its stance on the reporting of cybersecurity breaches, and will now require mandatory reporting of such incidents within three days of being discovered.
The Investment Industry Regulatory Organization of Canada (IIROC), a self-regulatory organization for dealers, announced the new requirements around cybersecurity “incidents” on Thursday, a day after a senior executive of the Bank of Canada suggested new legislation or regulations might be required to ensure information is shared about cyber threats.
IIROC first proposed stricter requirements on the reporting of cyber events in 2018 that would allow the self-regulatory agency to share high-level details within the industry.
In response to some pushback during a subsequent comment period, the regulator says it “emphasized the impact and the growing threat that cybersecurity incidents may have on investors and capital markets and the appropriateness of IIROC collecting information about these incidents.”
Investment dealers were concerned about how IIROC would safeguard confidential information obtained through the reporting of cyber incidents. There was also concern IIROC’s requirements would overlap with obligations under privacy legislation and rules set by other regulators.
IIROC said it would ensure that any cybersecurity information shared with other dealers — intended to alert other firms to known threats and potential risks — would be done “on an anonymous and high level basis.”
Broadly speaking, a cybersecurity incident will include any act to gain unauthorized access to, disrupt, or misuse a dealer’s information system or any information stored on it. The regulator said it would create a “broad and flexible” definition of what constitutes a cybersecurity incident to accommodate a range of investment dealer business models and operations.
Within 30 days of the initial report, investment firms must follow up with a detailed investigation report outlining the causes and scope of the issue and steps being taken to mitigate the risk of harm to investors and to the firm.
IIROC had its own brush with data protection in 2013 when a staff member at the regulator lost a device containing personal information about more than 50,000 investment dealer clients. The device was password protected, but the data was not encrypted as required by the regulator’s own rules for the protection of sensitive data.
A survey conducted by IIROC about a year ago suggested Canadian investment firms have been stepping up their preparedness for a cyber attack. For example, 82 per cent of the firms conducted cybersecurity training at least once a year, up from 56 per cent in 2016. The vast majority, 94 per cent, said they were assessing third parties for cyber risks before entering into a contract, up from 70 per cent in 2016. In addition, more than half the firms had purchased a cyber insurance policy, up from 37 per cent in 2016.