As part of its initiative to assist firms in protecting their clients and business from cyber-risks, IIROC has announced plans to provide IIROC-regulated firms with individual assessments of their cybersecurity preparedness.
In observance of Cybersecurity Awareness Month in October, the regulator will send each IIROC dealer member a confidential report card evaluating their cybersecurity practices in comparison to industry benchmarks, as well as against similar-size firms with comparable business models. Specific areas requiring priority attention will also be identified.
"As the frequency and sophistication of cyber-attacks increase, it is crucial that IIROC-regulated firms treat cybersecurity risk management as a high priority," said IIROC Senior Vice President for Member Regulation and Strategic Initiatives Wendy Rudd. "IIROC will continue to work with firms to ensure they have appropriate cybersecurity infrastructure and measures in place."
The report cards follow from an extensive assessment survey tool, which was developed by Deloitte for IIROC and given for all dealer members to complete in June 2016. The responses were measured against a National Institute of Standards and Technology cybersecurity framework that focuses on governance, threat prevention, threat detection, and threat response/recovery.
With the survey information collected, IIROC has a better understanding of the suitability of each firm’s policies, systems, and governance structure in managing cybersecurity risks. Past achievements in its ongoing program to help dealers include a previous survey of firms, consultations with security and industry experts, and a tabletop exercise, which led to the publication of the Cybersecurity Best Practices Guide and the Cyber Incident Management Planning Guide in December 2015.
Succeeding efforts will center on collaboration with and advice to firms, helping them to better prepare against threats and respond to breaches. IIROC also intends to work closely with the CSA on their recently announced initiative to discuss cybersecurity issues and risks, as well as the need for coordination and information sharing, with market participants.
Are regulators doing enough to beat cybercrime?
Are you prepared for a cyber attack?