IIROC is providing all dealer member firms it regulates (Firms) with a confidential cybersecurity “report card” that will include:
- an individual assessment of the Firm’s cybersecurity preparedness program
- a comparison of the Firm’s cybersecurity practices against the industry and other Firms of similar size and business model
- a list of cybersecurity areas to which the Firm should be giving priority attention.
The report cards were generated based on the results of an extensive assessment survey that Firms completed in June 2016. The survey responses were benchmarked against a National Institute of Standards and Technology cybersecurity framework that considers governance, threat prevention, threat detection and threat response and recovery criteria.
IIROC is also using the June survey results to assess the adequacy of each Firm’s cybersecurity policies and procedures. Firms that are assessed as lagging their peers may face further regulatory scrutiny.
Cybersecurity is a key regulatory priority for IIROC and the CSA
All registered securities firms can expect continued and heightened scrutiny of their cybersecurity policies and procedures. As we discussed in our earlier blogs (IIROC 2016 Compliance Priorities and CSA Sets Out Priorities for 2016-2019), cybersecurity preparedness is a key regulatory priority for IIROC and the Canadian Securities Administrators (CSA).
Recently, the CSA issued CSA Staff Notice 11-332 – Cyber Security which further highlights the importance of cybersecurity and communicates expectations that the CSA has of market participants in this area, including the following:
Registered securities firms are expected to:
- remain vigilant in developing, implementing and updating their approach to cybersecurity management
- review and follow regulatory guidance (e.g. IIROC and MFDA guidance).
Regulated entities (e.g. marketplaces, clearing agencies, information processors) are expected to:
- examine and review compliance with ongoing requirements outlined in securities legislation, terms and conditions of recognition, registration or exemption orders
- have internal controls over their systems and to report security breaches
- adopt a cybersecurity framework provided by a regulatory authority or standard-setting body that is appropriate to their size and scale.
Public companies who have determined that cybersecurity is a material risk are expected to:
- provide detailed and entity-specific cyber risk disclosure
- address in any cyber-attack remediation plan:
- how materiality of an attack would be assessed, including the attack’s impact on the company’s operations and reputation, its customers, employees and investors
- whether and what, as well as when and how, to disclose a cyber-attack.
In previous guidance (CSA Staff Notice 11-326 – Cyber Security), the CSA also indicated that it expects registrants to implement strong and tailored cybersecurity measures in accordance with prudent business practice and to improve information security, including by:
- educating staff
- conducting third party testing and assessment
- regularly reviewing and updating cybersecurity measures
- following industry guidelines and best practices.
Improving your firm’s cybersecurity regulatory compliance
Enhanced data protection measures and a robust breach response protocol are key to discharging a registrant’s regulatory compliance obligations, but can also be a potential competitive advantage that differentiates market-leading firms from the competition.
All securities firms, and especially Firms that received a lagging IIROC “report card”, should carefully review their cybersecurity policies and procedures. For more information on how our cross-functional securities regulatory and cyber law expertise may assist in this regard, please contact a member of our Securities Regulation & Investment Products Group. For additional insights on CSA Staff Notice 11-332, please see our colleagues’ recent post on the CyberLex blog.