The Investment Industry Regulatory Organization of Canada (“IIROC”), the national self-regulatory organization that oversees investment dealers and their trading activity in Canada’s debt and equity markets, published in January 2018 its Compliance Priorities Report for 2017/2018. The Report identifies current issues and challenges that investment dealers should address to improve investor protection and foster market integrity.
The Report states that investment dealers’ cybersecurity preparedness continues to be a high priority for IIROC. The Report explains that in 2017 IIROC’s most common recommendations to investment dealers to improve their cybersecurity preparedness were as follows:
- Maintain adequate policies and procedures to safeguard the confidentiality, integrity and availability of the dealer’s data (including clients’ personal information).
- Conduct regular due diligence of the dealer’s information technology vendors and service providers to evaluate the adequacy of safeguards against cybersecurity incidents.
- Use encryption and strong passwords to protect data and sensitive information stored on all computers, storage servers, web server portals and mobile electronic devices.
- Maintain software patch management systems to fix identified security vulnerabilities on a timely basis.
- Develop a cybersecurity incident response plan that includes: a description of the different types of possible incidents; procedures to stop an incident and eliminate the threat; procedures for recovery of data; investigation of an incident; and incident notification and reporting obligations.
The Report emphasizes the importance of proactive management of cyber risks, and explains that IIROC’s cybersecurity initiatives for the current year include table-top simulations of cyber incident scenarios to help investment dealers develop and improve their own cyber incident response plans.
The Report confirms IIROC’s commitment to continue to work with the Investment Industry Association of Canada to provide best practice guidance to investment dealers to improve their cybersecurity preparedness.
IIROC published in 2015 a Cybersecurity Best Practices Guide and a Cyber Incident Management Planning Guide to help investment dealers manage cybersecurity risks and respond to cyber incidents. For more information, see BLG bulletin Cybersecurity Guidance from Investment Industry Organization.