Cybersecurity Guidance from Investment Industry Regulatory Organization of Canada

On December 21, 2015, the Investment Industry Regulatory Organization of Canada (IIROC) and published detailed guidance to help investment dealer firms manage cybersecurity risks and respond to cybersecurity incidents.

IIROC’s Cybersecurity Best Practices Guide sets out a voluntary, risk-based cybersecurity framework for managing cyber risks. The Guide emphasizes that cybersecurity is a multi-faceted challenge that requires an enterprise-wide, interdisciplinary approach to implement a comprehensive strategy to avoid, mitigate, accept or transfer cyber risks.

IIROC’s Cyber Incident Management Planning Guide explains the five phases of cybersecurity incident management: plan and prepare, detect and report, assess and decide, respond and post-incident activity. The Guide includes recommendations for implementing a cybersecurity incident response plan, and includes a simple, ten-step guide for how an organization should respond to a cybersecurity incident when the organization is not prepared.

IIROC’s cyber risk management guidance is described as “voluntary”, and “not intended to create new legal or regulatory obligations”. Nevertheless, guidance issued by IIROC and other financial industry organizations and regulators will likely be considered by courts and regulators when determining the reasonable standard of care required of an investment dealer firm that is the victim of a cybersecurity incident. 

Read more here.

PCI DSS Requirements for Incident Response Plan

Data Incident Notification Obligations