As concerns about the digital security of Canada’s financial system continue to increase, regulators have introduced new rules requiring investment dealers to report any cybersecurity incidents. A big challenge is how those companies will get their investment advisors to be their eyes and ears on the ground.
In mid-November, the Investment Industry Regulatory Organization of Canada (IIROC) introduced mandatory cybersecurity incident reporting for its member dealers. They must inform the self-regulatory organization (SRO) of any cybersecurity incidents that disrupt their businesses in two ways. According to the rules, they must first “provide a preliminary description of the incident and steps taken to mitigate” its impact within three days. Then they “must provide a detailed investigation report, outlining the cause and scope of the issue, and steps taken to mitigate the risk of harm to investors and to the firm” within 30 days.
These new rules arrived just days before the Bank of Canada published its biannual Financial System Survey, in which senior experts who specialize in risk management provide their views on the resilience of Canada’s financial system. The danger of a large cyber incident ranked among the top three risks along with a general deterioration in the global economic outlook and a materialization of geopolitical risk events.
Story continues below advertisement
Dealers rely heavily on everyone in the organization when responding to cybersecurity incidents, says Bradley Freedman, partner and national co-leader of the cybersecurity law group at Borden Ladner Gervais LLP in Vancouver.
“Cybersecurity and privacy are team sports because they require a co-ordinated response.”
Advisors are a part of that team. As they deal with clients and their sensitive information every day, they represent the front line in any cybersecurity-related effort, says J.R. Cunningham, vice-president of strategic solutions at Herjavec Group, a Toronto-based provider of cybersecurity products and services to enterprises.
“In a lot of other campaigns centered around awareness, ‘If you see something, say something’ is a great tagline,” he says.
Advisors have a responsibility to educate themselves about cybersecurity, says Irene Winel, IIROC’s senior vice-president of member regulation and strategy.
“It’s a matter of good service and good business practice for advisors to stay up to date.”
At the same time, dealers themselves can be proactive in helping their advisors be aware of what to look for, Mr. Freedman says.
“An essential part of cyber risk management and privacy protection is education and training,” he says. “It can be done at a relatively low cost with significant return.”
Dealers can teach advisors what to watch out for without requiring them to be experts in technology-related matters, Mr. Cunningham says. They don’t have to be tech-savvy to understand what personally identifiable information means.
Dealers must make cybersecurity awareness training relevant to advisors, he adds. That means moving beyond dry lectures in an airless conference room and engaging advisors with practical exercises. In one increasingly common approach, companies send out fake phishing campaigns to test employees’ and contractors’ cybersecurity readiness. Companies can even gamify these exercises to help create a sense of healthy competition.
In many cases, it will be obvious to advisors immediately when they’ve done something wrong. “We’ve all had that lump in our throat after we clicked on a link and thought, ‘I shouldn’t have done that,’” Mr. Cunningham says.
The key to reporting cybersecurity incidents successfully is ensuring that advisors know what to do in those situations – namely, escalating the incident quickly so that the right people can deal with it.
Story continues below advertisement
“If something doesn’t seem right, knowing who to call and who to engage at a given time is what’s really important,” Mr. Cunningham says.
Advisors – especially those who report their own mistakes – must feel confident that they won’t be punished. It’s up to executives to create an atmosphere of trust, Mr. Cunningham adds.
Dealers may even consider giving advisors an incentive to report any cybersecurity incident, he suggests. That can be especially useful when dealing with large networks of independent advisors. Mr. Cunningham often sees this in retail and restaurant franchises.
“They’ll say, ‘If you adopt our standards, maybe we’ll help underwrite your cyber insurance risk or we’ll pay for your cyber policy because we’re confident that if you follow our technical standards, you’re not going to be breached.’”
Dealers could also engage advisors as active cybersecurity partners by brokering cybersecurity services. An investment company could procure technology protection tools and offer them to advisors at preferential rates to help engage them in cybersecurity reporting practices.
At the end of the day, advisors will need to keep honing their skills as dealers innovate with new technologies and hackers get ever more dangerous, Mr. Freedman warns.
Story continues below advertisement
“This is a permanent state of being for the foreseeable future. Organizations have to be on guard. They have to invest in people, processes and technologies to manage cyber risks and to protect the privacy of personal information.”
TORONTO – Canada’s main stock index was up more than 100 points in late-morning trading, helped by strength in base metal and utility stocks, while U.S. stock markets were mixed.
The S&P/TSX composite index was up 103.40 points at 24,542.48.
In New York, the Dow Jones industrial average was up 192.31 points at 42,932.73. The S&P 500 index was up 7.14 points at 5,822.40, while the Nasdaq composite was down 9.03 points at 18,306.56.
The Canadian dollar traded for 72.61 cents US compared with 72.44 cents US on Tuesday.
The November crude oil contract was down 71 cents at US$69.87 per barrel and the November natural gas contract was down eight cents at US$2.42 per mmBTU.
The December gold contract was up US$7.20 at US$2,686.10 an ounce and the December copper contract was up a penny at US$4.35 a pound.
This report by The Canadian Press was first published Oct. 16, 2024.
TORONTO – Canada’s main stock index was up more than 200 points in late-morning trading, while U.S. stock markets were also headed higher.
The S&P/TSX composite index was up 205.86 points at 24,508.12.
In New York, the Dow Jones industrial average was up 336.62 points at 42,790.74. The S&P 500 index was up 34.19 points at 5,814.24, while the Nasdaq composite was up 60.27 points at 18.342.32.
The Canadian dollar traded for 72.61 cents US compared with 72.71 cents US on Thursday.
The November crude oil contract was down 15 cents at US$75.70 per barrel and the November natural gas contract was down two cents at US$2.65 per mmBTU.
The December gold contract was down US$29.60 at US$2,668.90 an ounce and the December copper contract was up four cents at US$4.47 a pound.
This report by The Canadian Press was first published Oct. 11, 2024.
TORONTO – Canada’s main stock index was little changed in late-morning trading as the financial sector fell, but energy and base metal stocks moved higher.
The S&P/TSX composite index was up 0.05 of a point at 24,224.95.
In New York, the Dow Jones industrial average was down 94.31 points at 42,417.69. The S&P 500 index was down 10.91 points at 5,781.13, while the Nasdaq composite was down 29.59 points at 18,262.03.
The Canadian dollar traded for 72.71 cents US compared with 73.05 cents US on Wednesday.
The November crude oil contract was up US$1.69 at US$74.93 per barrel and the November natural gas contract was up a penny at US$2.67 per mmBTU.
The December gold contract was up US$14.70 at US$2,640.70 an ounce and the December copper contract was up two cents at US$4.42 a pound.
This report by The Canadian Press was first published Oct. 10, 2024.