Last week, the Investment Industry Regulatory Organization of Canada (IIROC) published its statement of priorities for the fiscal year ending in 2022, which included a focus on cybersecurity.
“The evolution of the industry has led to significant reliance on technology and automation by IIROC firms in order to meet investor needs, drive growth and achieve their business and strategic objectives,” the self-regulatory organization said. “Such reliance can also bring significant risks that need to be managed.”
While the pace of technological change has certainly accelerated over the past few months, Canada’s investment industry has been on the path of digital innovation and adoption for years. In a joint report with Accenture published in 2019, IIROC highlighted how changing investor expectations – most notably among women and millennials – were causing seismic shifts in the way advice is offered. As product-led business models give way to a more holistic planning orientation, dealer firms will increasingly use tech-based tools and services to support clients, it said.
“I think it’s important to put in context that cybersecurity risk has been an important focus for a number of years. It’s not just a recent phenomenon,” said Irene Winel, Senior Vice-President of Member Regulation and Strategy, in an interview with Wealth Professional. “However, with growing digitization, an increase in the flow of digital assets, and all sorts of people working from home as a result of the pandemic, those risks have certainly increased in our industry as well as other industries globally.”
Winel declined to provide specific numbers on how much the threat of cyber risks has spiked across the investment industry, but past notices from IIROC point to hotspots of malicious activity. In March, it issued a notice outlining steps firms could take to prevent, detect, and respond to ransomware attacks. Another notice in June last year focused on cloud services and application interfaces, which it said were increasingly being targeted by cyber attackers who are able to identify and exploit specific vulnerabilities.
Describing the past year as a “test of firms’ operational resilience,” Winel said firms have been diligent in putting business continuity plans in place even as they adopted work-from-home arrangements due to the pandemic. She also highlighted the need for firms to upgrade their security, continue to educate themselves on nascent threats, and conduct much-needed tests of their organizational preparedness.
“IIROC’s focus has been over the years and continues to be supporting the smaller and independent firms, who may not have the benefit of being part of larger integrated institutions and all the resources that come with them,” she added.
“That focus continues to be important,” Winel said. “You’re only as strong as your weakest link.”
Across large systems, the weakest link sometimes turns out to be the biggest. Recognizing this, IIROC said that it will also be “focusing on ways to identify and manage the risk of systemically-important vendors and service providers to the industry” as part of its fiscal 2022 priorities.
“Regulators have traditionally looked at outsourcing risk,” Winel said. “I think in the in the cyber context, it’s even more critically important to ensure that that that activities that are outsourced by an organization have adequate security in the connectivity.”
To sustain the flow of information on cybersecurity best practices across the industry, she said IIROC will continue to engage with its member firms as well as best-in-class global experts. Aside from working with public and private entities specializing in the area of cyber risk, the SRO also has in-house staff that monitors the current state of cybersecurity across Canada and the world based on research from regulators and government agencies.
In 2017 and 2019, IIROC engaged cybersecurity consultants to participate in site visits to selected dealers who were lagging behind their industry peer group target in terms of the maturity of their cybersecurity measures. Those site visits came after IIROC conducted cybersecurity self-assessment surveys in 2016 and 2018 for all its registered dealers.
Following those self-assessments, each dealer received a confidential Cybersecurity Report (CSR) that identified their level of cybersecurity maturity and provided high-level recommendations to address high-priority vulnerabilities in their operating system.
“We’re committed to reviewing the self-assessment with the experts that we send out to firms, which has proven to be very helpful, especially in those cases of the smaller firms,” Winel said.
Tabletop exercises, where firms run through several case studies and worst-case scenarios to assess their cybersecurity preparedness and risk management practices, also remain a priority for IIROC. Following exercises in 2015 and 2018, another one was initially planned for 2020, but had to be postponed due to the COVID-19 pandemic; the SRO is looking at putting together its next event, whether virtually or in-person, as soon as possible.