Canada’s investment industry self-regulator takes aim at cybersecurity incidents
IIROC is set to publish consultation on requirements for mandatory reporting of certain cybersecurity incidents.
The Investment Industry Regulatory Organization of Canada (IIROC), the national self-regulatory organization that oversees all investment dealers and trading activity on debt and equity marketplaces in Canada, is concerned about the growing number of cyber attacks and is considering new requirements for its members in response to this trend.
The organization has announced that, in order to further strengthen and support Dealers in the management of cyber risks, IIROC will soon be publishing for comment proposed amendments to its Dealer Member Rules, requiring mandatory reporting of certain cybersecurity incidents. The body notes that cyber attacks have been increasing in number and sophistication. In particular, there is a general increase in ransomware attacks, likely due to the ‘commoditization’ of tools making it easier for less sophisticated attackers to use them. The active management of cyber risk is critical to the stability of IIROC Dealer Members (Dealers), the integrity of capital markets and the protection of investors.
While the consultation is in the works, IIROC asks all Dealers to promptly report to the organization the occurrence of any cybersecurity incident.
For the time being, IIROC members follow Cybersecurity Best Practices Guide. The document, however, sets forth merely a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help IIROC Dealer Members manage cybersecurity risks. The voluntary guidance offers Dealer Members the ability to customize and quantify adjustments to their cybersecurity programs using cost-effective security controls and risk management techniques. For smaller Dealer Members, this can help in understanding how to provide basic security for computer systems and networks. For larger Dealer Members, this provides a cost-effective approach to securing computer systems based on business needs, without placing additional regulatory requirements on business.
Cybersecurity concerns are key for the Bank of Canada too. In a speech delivered on Thursday, March 22, 2018, Carolyn A. Wilkins – Senior Deputy Governor, Bank of Canada, emphasized the existing cyber risks. She noted that cyber risk is heightened because of an increasing number of points of access to core parts of the financial system and the growing sophistication of those launching cyber attacks.
The Bank of Canada is responsible for oversight of critical financial market infrastructures (FMIs). The regulator already imposes strict requirements to support the stability of these infrastructures, such as payment systems and CCPs, and it is working to further contain and respond to cyber risks. The systems that underpin all financial transactions in Canada’s economy are highly interconnected, and a cyber attack on one could quickly propagate and cause major disruptions. That is why, the Bank is working with Payments Canada and the six largest Canadian banks to reduce the chance of a serious cyber event, and to mitigate the impact and recover quickly if such an event were to materialize, Ms Wilkins said.