IIROC Compliance Priorities for 2019 – Cybersecurity

The Investment Industry Regulatory Organization of Canada (“IIROC”), the national self-regulatory organization that oversees investment dealers and their trading activity in Canada’s debt and equity markets, published in January 2019 its Compliance Priorities Report for 2018/2019. The Report identifies current issues and challenges that investment dealers should address to improve investor protection and foster market integrity.

The Report states that IIROC’s continuing compliance priorities include helping investment dealers with their cybersecurity preparedness. The Report explains that cybersecurity is a business risk for all investment dealers regardless of size and complexity, and each dealer must have appropriate controls in place to safeguard customer information under its custody and control.

The Report summarizes the following lessons learned from IIROC’s 2018 tabletop exercises for small and mid-sized dealers:

  • Corporate governance is the cornerstone for developing and maintaining a suitable and sufficient cybersecurity program.

  • An effective incident response plan must be detailed and specific, and identify and define each team member’s role and responsibilities.

  • Employee training and awareness are low-cost, high-impact ways to mitigate the risk of insider threats.

  • Cyber insurance is a cost-effective way for small and mid-sized dealers to mitigate and transfer a portion of their cybersecurity risk.

  • Other notable best practices include routine network penetration testing, external third-party review and risk assessments, and third-party vendor diligence.

  • Important technical controls include data loss prevention technologies, multi-factor authentication, access permissions, suspicious email blocking and data encryption.

Cybersecurity was one of IIROC’s compliance priorities in 2018. See IIROC Compliance Priorities for 2018 – Cybersecurity.

In 2015, IIROC published a Cybersecurity Best Practices Guide and a Cyber Incident Management Planning Guide to help investment dealers manage cybersecurity risks and respond to cyber incidents. For more information, see BLG bulletin Cybersecurity Guidance from Investment Industry Organization.

In April 2018, IIROC published a notice of proposed amendments to IIROC rules to require IIROC dealer members to report cybersecurity incidents. For more information, see BLG bulletin Canadian Investment Industry Regulator Proposes Mandatory Cybersecurity Incident Reporting.

Frequently Asked Questions – PIPEDA’s Security Breach Obligations

Canadian Financial Institution Regulator Issues Advisory on Technology and Cybersecurity Incident Reporting