New IIROC Cybersecurity Risk Management Guides – Voluntary?

On December 21, 2015, the Investment Industry Regulatory Organization of Canada (IIROC) published two excellent resources to help IIROC-regulated firms address cybersecurity threats. The resources are aimed, in particular, at small and medium-sized securities dealers. Although developed for dealer members of IIROC, the resources are useful for all small and medium-sized enterprises in the extended financial industry. The quality of the guides reflects the fact that IIROC consulted with external experts for their development.

Overview of the Guides

As mentioned, there are two guides: the Cybersecurity Best Practices Guide for IIROC Dealer Members and the Cyber Incident Management Planning Guide for IIROC Dealer Members.

The Best Practices Guide is intended to be a “living document” that will be further updated as lessons are learned and dealer members and the industry provide feedback. The core of the Best Practices Guide is a series of 15 best practices with specific recommendations on implementation. A quick summary of the topics covered in the Best Practices Guide can be found at the end of this post.

The Incident Management Planning Guide describes five basic steps in preparing for and responding to cybersecurity incidents. The basic steps include: (i) developing an incident response team and breach response plan; (ii) implementing a monitoring program to detect cybersecurity incidents; (iii) assessing whether a cybersecurity event is truly an incident indicating a significant probability of a compromising business operations; (iv) containing, recovering from and forensically analysing the incident; and (v) developing lessons learned. The Incident Management Planning Guide also provides dealer members with a resource to assist in developing an information sharing program with other organizations.

Are the Guides Really Voluntary?

The Best Practices Guide states that it is “not intended to create new legal or regulatory obligations or modify existing ones, including existing IIROC requirements”. The Incident Management Planning Guide is “not intended to function as a working response plan.”

Although following the guidance in these two resources is voluntary, IIROC dealer members should pay close attention to the content of these guides. The risk for dealer members is that in the event of a cybersecurity incident and subsequent litigation, a court may look to this guidance as providing some evidence of what constitutes an appropriate standard of care. While this guidance would not be binding on a court, it is likely to have some weight in determining whether a dealer members who ignores this guidance was negligent.

In addition, Andrew Kreigler, IIROC President and CEO, stated in the accompanying press release to the resources that “[a]ctive management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors.” This suggests that even if the resources will not be treated as prescriptive by IIROC, dealer members would do well to consider their content and, perhaps, proactively consider (with the assistance of legal counsel) whether they could justify substantial departures from the guidance that would have the effect of leaving them more vulnerable to cyber risks.

What are the Best Practices Topics?

The Best Practices Guide is detailed and include specific recommendations on how to implement the best practices. In snapshot summary, the best practices cover the following topics:

  • Leadership: Board or Executive Team leadership focus on enterprise-wide concerns with reporting to an Audit Committee, Risk Committee or the Board.
  • Gap Assessment: A systematic approach should be used to first prioritize mission and objectives, identify threats, define the current program, conduct a risk assessment, create a target profile, identify the gaps between the current program and desired profile, and implement an action plan.
  • Insider Threats: Addressing the “insider” threat through personnel screening, training of employees, using technical controls, and monitoring and responding to suspicious resource use.
  • Physical Security: Physical security from human threats, environmental threats and supply chain threats should be addressed.
  • Employee Training: Criteria for employee training, including that is be robust, frequent, and directive as to proper use of information technology, including how to protect against phishing and other methods of social engineering to use the employee insider to open up a vulnerability in the organization’s cybersecurity defences.
  • Technical Vulnerability Assessments: Ongoing and automated vulnerability assessments are critical to identify technical security vulnerabilities.
  • Network Security: Firewalls, wireless networks and remote access must all be equipped with up-to-date and properly configured technology.
  • Information System Protection: Ensuring that there is endpoint security to monitor workstations and mobile devices and ensuring that policies regarding external devices (e.g. portable drives or USB memory sticks) are enforced and that there is an effective backup and recovery plan.
  • User Account Management: Ensuring that access controls limit access to information on need to know basis.
  • Asset Management: Ensuring inventory control over all physical assets, including mobile devices.
  • Incident Response Plan: Planning and preparing for a cybersecurity incident in order to more effectively contain it when it does occur.
  • Breach Reporting and Information Sharing: Ensuring that statutory requirements for breach reporting are met and that information is shared and used to develop responses to emerging threats.
  • Cyber Insurance: Reviewing and considering policy options to mitigate financial risk.
  • Vendor Risk Management: Assessing and mitigating risks associated with the use of vendors who provide information technology services or who have access to the dealer member’s network.
  • Cybersecurity Policy: Developing a security policy establishing expectations for mandatory conduct.

The IIROC resources and more information on IIROC’s activities can be found on the IIROC website