What the recent changes to IIROC mean for Canadian investors | Vumetric
IIROC Cybersecurity Incident Reporting

What the recent changes to IIROC mean for Canadian investors

Share on linkedin
Share on facebook
Share on twitter
Table of Content
    Add a header to begin generating the table of contents

    With the rise in cybercrime in Canada, it should come as no surprise that the Investment Industry Regulatory Organization of Candada (IIROC) has beefed up requirements for the financial sector, around cybercrime.

    Concern over the threat of cybercrime led to Canadian financial institutions asking for stronger regulations to stay on top of potentially devastating cyber crimes, last year. The latest statistics available, reveal that baking institutions (excluding investment banks) reported the highest level of incidents (47%), and that these types of businesses were “impacted by incidents to steal money or demand ransom payments in 2017.”

    Additionally, over half – 60 percent – of organizations that report that “manipulation and theft of data would have a detrimental impact on their business.”

    Thankfully, the IIROC has implemented stronger regulations that will help the financial sector to defend stakeholders against cybercrime. The organization has written amendments to their Dealer Member Rules that:

    • Require Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident
    • Require Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident
    • List the information Dealers must report.

    In simple terms, these amendments broaden protection wider than the scope of the Privacy Information Protection and Electronic Documents Act. The main objectives of developing these amendments, according to the IIROC, are to:

    • Provide immediate support to a Dealer responding to a cybersecurity incident.
    • Alert other Dealers of threats and share best practices for incident preparedness.
    • Evaluate trends and develop comprehensive insight regarding cybersecurity.
    • Promote confidence in the Dealer and the integrity of the market

    With cybercrime actually becoming an industry of it’s own, with “suppliers, markets, service providers (“cybercrime as a service”), financing, trading systems, and a proliferation of business models,” today’s information-sensitive industries must be preemptive in developing security measures that protect them and their investors.

    What is an “incident”?

    Public feedback about the new rules included several mentions of the definition of an “incident,” when it comes to cyber crime but the IIROC intentionally crafted a broad definition of an incident because, they say, different incidents can impact different organizations in different ways.

    For these amendments, an “incident” is defined as any security breaches that:

    • Involve personal information and may be reportable under the reporting obligations of the Privacy Information Protection and Electronic Documents Act (PIPEDA)
    • Affect a Dealer’s ability to meet its obligations to its clients and capital market counterparties
    • Affect both individuals and non-individuals.

    The three-day report

    The IIROC’s requirement for a three-day report will allow them to promptly investigate and determine any new cyber threats to other organizations in the financial sector before they become victimized. Cyber crime evolves quickly so having the information on data breaches as quickly as possible, allows them to keep the financial sector informed.

    The minimum requirements for the three-day report are:

    • A description of the cybersecurity incident
    • The date it was discovered and the date/time period during it occurred
    • A preliminary assessment of the incident, including the risk of harm to any person or impact on a Dealer’s operations
    • A description of immediate response steps a Dealer has taken
    • Contact information for an individual who can answer follow-up questions

    If the Dealer has additional information, this, too, can be included in the report. This information is used to perform a “preliminary assessment” of the incident.

    The 30-day report

    This is a more detailed report that includes:

    • A description of the cause of the incident
    • Assessment of the scope of the incident
    • The steps a Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer’s operations
    • The steps a Dealer took to remediate any harm to any person
    • Actions a Dealer has taken to improve its cybersecurity incident preparedness

    The IIROC then “anonymizes” the information collected, so they can share findings and potential new threats with the public and other Dealers as quickly and effectively as possible.

    How this change helps investors

    According to a recent study, financial institutions take in the highest cost in damages from cybercrime at an average of $18.3m per company surveyed. And while web-based attacks such as malware or phishing are issues, people-based attacks and ransomware are increasing, resulting in an average global cost of $5.5 million USD ($7,265,225.00 CAD) for these institutions.

    By collecting information on cybersecurity incidents quickly, IIROC is able to consolidate and assemble data to provide preemptive information that can protect organizations from evolving cybercrimes.

    As businesses increasingly incorporate new technologies such as machine learning, AI, and automation, regulations will need to evolve as quickly as cybercrime does. With IIROC collecting the latest cybersecurity breaches and sharing the information with the public and other organizations, financial organizations can stay ahead of cybercriminals and defend themselves against losing valuable data and experiencing detrimental business disruption. Today’s organizations need to invest heavily in security measures that protect individuals, due to the rise in phishing, ransomware, and malicious insider attacks.

    However, even with the best IT departments, financial institutions have hidden vulnerabilities they are unaware of. This is why organizations should make it a priority to have regular assessments to determine if they need to change or reinforce their cybersecurity. As things become more connected through IoT devices, web and mobile applications, cybercriminals can now gain access to sensitive information using complex exploitation techniques that were not anticipated during the implementation of these smart devices and applications.

    In fact, 81% of business leaders believe that the rising use of technologies “introduces vulnerabilities faster than they can be secured,” meaning today’s organizations benefit from regular screening to ensure they are secure.

    With the help of a penetration test, you can assess your company’s risks of a cybersecurity incident and get solutions to prevent them. Reach out to a certified cybersecurity specialist today to learn more.

    About the IIROC

    The IIROC is a self-regulatory organization that focuses on protecting investors by setting high-quality investment rules and standards for Canada’s financial sector. They oversee all of the activity of investment dealers in Canada’s debt and equity market with the goal of ensuring a safe and robust market for Canada’s investors.

    Want to know how we can help?

    Recent Vumetric Blog Posts

    How to Improve Office 365 Security
    How to Improve Office 365 Security With 9 Tips

    Office 365 is a valuable productivity and collaboration tool. It offers businesses numerous benefits, including easy collaboration, remote …

    Isometric Personal Data Information App, Identity Private Concept. Digital data Secure Banner. Biometrics technology vector illustration for personal identity recognition and access authentication.
    Why Automated App Pentests Are Not Enough

    With the ever-growing amount of applications provided to customers, the prospect of performing Application Penetration Testing on each …

    Cybersecurity Covid 19 Coronavirus Remote Work
    9 Cybersecurity Best Practices for COVID-19 Remote Workers

    Amidst the coronavirus pandemic, many organizations have opted for remote work for the next following weeks to prevent …

    Cybersecurity Statistics
    20 Cybersecurity Statistics You Should Know

    Cybersecurity has become increasingly important across every industry due to the massive transition to digital operations. Businesses can …

    Benefits of PCI Compliance
    5 Benefits of PCI-DSS Compliance

    Are you thinking of accepting credit or debit cards as a form of payment?  Have you started accepting …

    Assess Your Cybersecurity Risks

    A specialist will reach out in order to:

    • Understand your needs
    • Determine your project scope
    • Provide a cost approximation
    • Send you a detailed proposal
    • This field is for validation purposes and should be left unchanged.
    stay informed!
    Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.
    • This field is for validation purposes and should be left unchanged.