Document outlines general principles of risk management and recommended controls mainly for small and mid-sized firms
The Investment Industry Regulatory Organization of Canada (IIROC) has published a new guide to support member firms as they navigate the risks associated with technology for financial services businesses.
“Technology risk is the business risk associated with the deployment of and reliance on technology and automation at a firm,” IIROC wrote. “This could represent a substantial business risk which, if not appropriately managed, has the potential to seriously damage the firm and its future viability.”
Published mainly for small and medium-sized firms, the guide lays out general principles of risk management and some recommended controls, but does not prescribe a framework or rule requirement for member firms to follow.
As part of the process to manage technology risks, the guide said firms should considering identifying then assessing risk events that could affect the different technological systems it uses. After identifying threats and threat vectors, the guide said, firms should evaluate risks based on their likelihood of occurrence as well as the severity of the impact if a risk event were to occur.
“Accordingly, the firm should consider would will be impacted and the nature and amount of impact,” the guide said.
Emphasizing that technological risks cannot be totally eliminated, IIROC said firms should institute controls to manage individual risks. Focusing most on high-likelihood, high-impact events, the guide suggested that firms generally deal with individual risks either by avoiding, accepting, transferring, or mitigating them.
“Firms should consider compiling the list of all risk events, the risk assessment, and the controls in a document or a ‘risk register’ and making sure that thee risk register is regularly reviewed and updated,” the guide said.
IIROC also provided a list of controls that firms might consider across different key dimensions of technology risk including information and data management, device management, systems and application management, process management, and vendor management, among others.
Staying on top of tech-related risks, the guide added, should not be seen as the sole responsibility of compliance and IT staff, but should involve every individual all the way to the top, including senior management and the board of directors.
“Firms that do not have a formalized framework today to manage technology risk should consider taking the first steps by reaching out to risk management and technology risk consultants,” IIROC said, stressing that the goal should be a uniquely designed framework that considers the firm’s business model and stakeholders.
The SRO’s new guide comes several weeks after it issued a notice telling IIROC firms and employees to watch out for ransomware attacks.
“IIROC has noticed an increase in ransomware attacks on IIROC firms and in particular, over the last few months,” the notice dated March 16 said. “Ransomware is the most common type of cybercrime and continues to evolve. It is a critical threat that firms need to continue to look out for.”
To head off such threats, IIROC said firms should establish controls to prevent and identify ransomware that include systems focused on protecting data, devices, and networks; educating employees, contractors, and vendors; and monitoring for anomalous behaviour.