What the recent changes to IIROC mean for Canadian investors | Vumetric

Vumetric Blog

The Vumetric Blog provides expert insight that addresses hot topics, trends and challenges in cybersecurity and penetration testing.
IIROC Cybersecurity Incident Reporting

What the recent changes to IIROC mean for Canadian investors

Share on linkedin
Share on facebook
Share on twitter
Table of Content
    Add a header to begin generating the table of contents

    With the rise in cybercrime in Canada, it should come as no surprise that the Investment Industry Regulatory Organization of Candada (IIROC) has beefed up requirements for the financial sector, around cybercrime.

    Concern over the threat of cybercrime led to Canadian financial institutions asking for stronger regulations to stay on top of potentially devastating cyber crimes, last year. The latest statistics available, reveal that baking institutions (excluding investment banks) reported the highest level of incidents (47%), and that these types of businesses were “impacted by incidents to steal money or demand ransom payments in 2017.”

    Additionally, over half – 60 percent – of organizations that report that “manipulation and theft of data would have a detrimental impact on their business.”

    Thankfully, the IIROC has implemented stronger regulations that will help the financial sector to defend stakeholders against cybercrime. The organization has written amendments to their Dealer Member Rules that:

    • Require Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident
    • Require Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident
    • List the information Dealers must report.

    In simple terms, these amendments broaden protection wider than the scope of the Privacy Information Protection and Electronic Documents Act. The main objectives of developing these amendments, according to the IIROC, are to:

    • Provide immediate support to a Dealer responding to a cybersecurity incident.
    • Alert other Dealers of threats and share best practices for incident preparedness.
    • Evaluate trends and develop comprehensive insight regarding cybersecurity.
    • Promote confidence in the Dealer and the integrity of the market

    With cybercrime actually becoming an industry of it’s own, with “suppliers, markets, service providers (“cybercrime as a service”), financing, trading systems, and a proliferation of business models,” today’s information-sensitive industries must be preemptive in developing security measures that protect them and their investors.

    What is an “incident”?

    Public feedback about the new rules included several mentions of the definition of an “incident,” when it comes to cyber crime but the IIROC intentionally crafted a broad definition of an incident because, they say, different incidents can impact different organizations in different ways.

    For these amendments, an “incident” is defined as any security breaches that:

    • Involve personal information and may be reportable under the reporting obligations of the Privacy Information Protection and Electronic Documents Act (PIPEDA)
    • Affect a Dealer’s ability to meet its obligations to its clients and capital market counterparties
    • Affect both individuals and non-individuals.

    The three-day report

    The IIROC’s requirement for a three-day report will allow them to promptly investigate and determine any new cyber threats to other organizations in the financial sector before they become victimized. Cyber crime evolves quickly so having the information on data breaches as quickly as possible, allows them to keep the financial sector informed.

    The minimum requirements for the three-day report are:

    • A description of the cybersecurity incident
    • The date it was discovered and the date/time period during it occurred
    • A preliminary assessment of the incident, including the risk of harm to any person or impact on a Dealer’s operations
    • A description of immediate response steps a Dealer has taken
    • Contact information for an individual who can answer follow-up questions

    If the Dealer has additional information, this, too, can be included in the report. This information is used to perform a “preliminary assessment” of the incident.

    The 30-day report

    This is a more detailed report that includes:

    • A description of the cause of the incident
    • Assessment of the scope of the incident
    • The steps a Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer’s operations
    • The steps a Dealer took to remediate any harm to any person
    • Actions a Dealer has taken to improve its cybersecurity incident preparedness

    The IIROC then “anonymizes” the information collected, so they can share findings and potential new threats with the public and other Dealers as quickly and effectively as possible.

    How this change helps investors

    According to a recent study, financial institutions take in the highest cost in damages from cybercrime at an average of $18.3m per company surveyed. And while web-based attacks such as malware or phishing are issues, people-based attacks and ransomware are increasing, resulting in an average global cost of $5.5 million USD ($7,265,225.00 CAD) for these institutions.

    By collecting information on cybersecurity incidents quickly, IIROC is able to consolidate and assemble data to provide preemptive information that can protect organizations from evolving cybercrimes.

    As businesses increasingly incorporate new technologies such as machine learning, AI, and automation, regulations will need to evolve as quickly as cybercrime does. With IIROC collecting the latest cybersecurity breaches and sharing the information with the public and other organizations, financial organizations can stay ahead of cybercriminals and defend themselves against losing valuable data and experiencing detrimental business disruption. Today’s organizations need to invest heavily in security measures that protect individuals, due to the rise in phishing, ransomware, and malicious insider attacks.

    However, even with the best IT departments, financial institutions have hidden vulnerabilities they are unaware of. This is why organizations should make it a priority to have regular assessments to determine if they need to change or reinforce their cybersecurity. As things become more connected through IoT devices, web and mobile applications, cybercriminals can now gain access to sensitive information using complex exploitation techniques that were not anticipated during the implementation of these smart devices and applications.

    In fact, 81% of business leaders believe that the rising use of technologies “introduces vulnerabilities faster than they can be secured,” meaning today’s organizations benefit from regular screening to ensure they are secure.

    With the help of a penetration test, you can assess your company’s risks of a cybersecurity incident and get solutions to prevent them. Reach out to a certified cybersecurity specialist today to learn more.

    About the IIROC

    The IIROC is a self-regulatory organization that focuses on protecting investors by setting high-quality investment rules and standards for Canada’s financial sector. They oversee all of the activity of investment dealers in Canada’s debt and equity market with the goal of ensuring a safe and robust market for Canada’s investors.

    Want to know how we can help?

    Recent Vumetric Blog Posts

    Importance of Cybersecurity for Stakeholders
    The Importance of Cybersecurity for Stakeholders

    As our world and businesses grow more digital by the hour, cybersecurity becomes an increasingly important concern for …

    Cybersecurity Resolutions 2020
    4 Cybersecurity Resolutions to Make in 2020

    Technology continues to shift and evolve, and it is critical for today’s organisations to stay on top of …

    What is Ethical Hacking
    What is Ethical Hacking?

    According to a report recently published by Accenture, the total cost of criminal hacking is estimated at $11.7 …

    Benefits of SOC Compliance
    4 Benefits of SOC Compliance

    SOC compliance is a very important framework for the management of cybersecurity threats in any organization. It is a …

    Tips to Prevent Ransomware
    4 Tips to Prevent Ransomware Attacks

    Ransomware is a threat that has been growing significantly as of late, partly because many organizations end up …

    Need to Assess Your Cybersecurity Risks?

    Scroll to Top
    stay informed!
    Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.
    • This field is for validation purposes and should be left unchanged.