New survey results suggest that previous efforts to encourage safeguards against cyber risks are bearing fruit
As technology plays an increasingly critical role among stakeholders in the financial-services industry, regulators are pushing firms to focus more on cybersecurity. And according to newly released survey findings from the Investment Industry Regulatory Organization of Canada (IIROC), firms are becoming more prepared against digital threats.
The survey, completed in November 2018, was completed by all firms regulated by IIROC; it follows the first review that was originally conducted in 2016. Each firm was measured against the National Institute of Standards and Technology (NIST) cybersecurity framework, which focuses on governance as well as security, vigilance, and resilience.
Highlights of the survey include:
- An overwhelming majority of firms (94%) assess third parties for potential cyber risks before entering into a contract — up from 70% in 2016;
- Cybersecurity training is conducted at least annually by 82% of firms — up from 56% in 2016;
- An incidence response plan is in place at 72% of firms — up from 53%;
- More than half of firms (55%) have purchased a cyber insurance policy — up from 37%; and
- Between 2016 and 2018, the number of firms at high-risk of experiencing a cyber threat decreased, with smaller firms contributing the most to the reduction
IIROC has shared individual results with all firms, as well as recommendations on any cybersecurity gaps that should be prioritized. Those include performing privacy risk or impact assessments, as well as monitoring the dark web for intelligence related to their organizations.
“IIROC works closely with firms to manage cybersecurity risks and protect data, as a part of our mandate to protect investors and enhance market integrity,” said Louis Piergeti, IIROC's vice president of Financial & Operations Compliance. “
The published findings build on IIROC’s other efforts to prioritize technology and cybersecurity development in the wealth industry. Last month, it released a report prepared in collaboration with Accenture, which delved into the wealth industry’s evolution in response to investor needs and how regulation can better accommodate innovation.
IIROC has also proposed a rule for mandatory reporting of cybersecurity incidents to determine whether firms need guidance on how to assess and address any potential liability. It also hosted day-long table-top test scenarios in 2018; geared toward small and medium-sized firms, the role-playing exercise posed different crises — such as ransomware attacks, data leakages, and third-party information breaches — to which participants had to respond. Experts in cybersecurity, regulation, and law provided guidance and recommended cost-effective solutions at the end of the sessions.
The self-regulatory organization has also published a cybersecurity best practices guide, accessible on the IIROC website, for firms and their advisors.