What the recent changes to IIROC mean for Canadian investors | Vumetric

What the recent changes to IIROC mean for Canadian investors

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

With the rise in cybercrime in Canada, it should come as no surprise that the Investment Industry Regulatory Organization of Canada (IIROC) has beefed up requirements for the financial sector, around cybercrime.

Concern over the threat of cybercrime led to Canadian financial institutions asking for stronger regulations to stay on top of potentially devastating cyber crimes, last year. The latest statistics available, reveal that baking institutions (excluding investment banks) reported the highest level of incidents (47%), and that these types of businesses were “impacted by incidents to steal money or demand ransom payments in 2017.”

Additionally, over half – 60 percent – of organizations that report that “manipulation and theft of data would have a detrimental impact on their business.”

Thankfully, the IIROC has implemented stronger regulations that will help the financial sector to defend stakeholders against cybercrime. The organization has written amendments to their Dealer Member Rules that:

  • Require Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident.
  • Require Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident
  • List the information Dealers must report.

In simple terms, these amendments broaden protection wider than the scope of the Privacy Information Protection and Electronic Documents Act. The main objectives of developing these amendments, according to the IIROC, are to:

  • Provide immediate support to a Dealer responding to a cybersecurity incident.
  • Alert other Dealers of threats and share best practices for incident preparedness.
  • Evaluate trends and develop comprehensive insight regarding cybersecurity.
  • Promote confidence in the Dealer and the integrity of the market.

With cybercrime actually becoming an industry of it’s own, with “suppliers, markets, service providers (“cybercrime as a service”), financing, trading systems, and a proliferation of business models,” today’s information-sensitive industries must be preemptive in developing security measures that protect them and their investors.

What is an “incident”?

Public feedback about the new rules included several mentions of the definition of an “incident,” when it comes to cyber crime but the IIROC intentionally crafted a broad definition of an incident because, they say, different incidents can impact different organizations in different ways.

For these amendments, an “incident” is defined as any security breaches that:

  • Involve personal information and may be reportable under the reporting obligations of the Privacy Information Protection and Electronic Documents Act (PIPEDA)
  • Affect a Dealer’s ability to meet its obligations to its clients and capital market counterparties
  • Affect both individuals and non-individuals.

The three-day report

The IIROC’s requirement for a three-day report will allow them to promptly investigate and determine any new cyber threats to other organizations in the financial sector before they become victimized. Cyber crime evolves quickly so having the information on data breaches as quickly as possible, allows them to keep the financial sector informed.

The minimum requirements for the three-day report are:

  • A description of the cybersecurity incident
  • The date it was discovered and the date/time period during it occurred
  • A preliminary assessment of the incident, including the risk of harm to any person or impact on a Dealer’s operations
  • A description of immediate response steps a Dealer has taken
  • Contact information for an individual who can answer follow-up questions

If the Dealer has additional information, this, too, can be included in the report. This information is used to perform a “preliminary assessment” of the incident.

The 30-day report

This is a more detailed report that includes:

  • A description of the cause of the incident
  • Assessment of the scope of the incident
  • The steps a Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer’s operations
  • The steps a Dealer took to remediate any harm to any person
  • Actions a Dealer has taken to improve its cybersecurity incident preparedness

The IIROC then “anonymizes” the information collected, so they can share findings and potential new threats with the public and other Dealers as quickly and effectively as possible.

How this change helps investors

According to a recent study, financial institutions take in the highest cost in damages from cybercrime at an average of $18.3m per company surveyed. And while web-based attacks such as malware or phishing are issues, people-based attacks and ransomware are increasing, resulting in an average global cost of $5.5 million USD ($7,265,225.00 CAD) for these institutions.

By collecting information on cybersecurity incidents quickly, IIROC is able to consolidate and assemble data to provide preemptive information that can protect organizations from evolving cybercrimes.

As businesses increasingly incorporate new technologies such as machine learning, AI, and automation, regulations will need to evolve as quickly as cybercrime does. With IIROC collecting the latest cybersecurity breaches and sharing the information with the public and other organizations, financial organizations can stay ahead of cybercriminals and defend themselves against losing valuable data and experiencing detrimental business disruption. Today’s organizations need to invest heavily in security measures that protect individuals, due to the rise in phishing, ransomware, and malicious insider attacks.

However, even with the best IT departments, financial institutions have hidden vulnerabilities they are unaware of. This is why organizations should make it a priority to have regular assessments to determine if they need to change or reinforce their cybersecurity. As things become more connected through IoT devices, web and mobile applications, cybercriminals can now gain access to sensitive information using complex exploitation techniques that were not anticipated during the implementation of these smart devices and applications.

In fact, 81% of business leaders believe that the rising use of technologies “introduces vulnerabilities faster than they can be secured,” meaning today’s organizations benefit from regular screening to ensure they are secure.

With the help of a penetration test, you can assess your company’s risks of a cybersecurity incident and get solutions to prevent them. Reach out to a certified cybersecurity specialist today to learn more.

About the IIROC

The IIROC is a self-regulatory organization that focuses on protecting investors by setting high-quality investment rules and standards for Canada’s financial sector. They oversee all of the activity of investment dealers in Canada’s debt and equity market with the goal of ensuring a safe and robust market for Canada’s investors.

Need to Assess And Mitigate Your Cybersecurity Risks?

or give us a call directly at:

Need to Identify Your Cybersecurity Risks?

A specialist will reach out to:

Mailbox Icon
stay informed!
Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.