Canadian investment firms boost cybersecurity measures, survey shows
Survey among IIROC-regulated firms shows improvement in training, incidence response plans and third-party risk assessment.
Canadian investment firms have bolstered their cybersecurity preparedness, according to the results of a recent survey conducted among firms regulated by the Investment Industry Regulatory Organization of Canada (IIROC).
The survey, completed in November 2018, assessed each firm against the National Institute of Standards and Technology (NIST) cybersecurity framework. The NIST framework focuses on governance, as well as security, vigilance and resilience of each firm. IIROC has reported individual results to all firms, with recommendations on any gaps in cybersecurity capabilities that require attention. This marks the second such survey, following the one conducted in 2016.
The latest such survey shows that nearly all firms (94%) assess third parties for potential cyber risks before entering into a contract. This is markedly higher from the result of 70% reported in 2016.
A large majority of respondents – 82%, say they conduct cybersecurity training at least annually – up from 56% in 2016. In another positive reading, 72% of firms say they have an incidence response plan in plane. This compares with 53% in 2016.
More than half (55%) of firms have purchased a cyber insurance policy. The result is higher than the 37% level in 2016.
Between 2016 and 2018, the number of firms at a high risk of experiencing a cyber threat fell, with smaller firms contributing the bulk to this decrease.
There is still room for improvement, especially in areas such as performing privacy risk or impact assessments, as well as monitoring the dark web for intelligence related to their organizations.
IIROC has also proposed a rule requiring mandatory reporting of cybersecurity incidents, which would help determine whether firms need guidance on how to assess and address any potential liability. IIROC would also be able to determine whether the information yielded any insight or intelligence that could help improve the industry’s overall preparedness.