Self-regulatory organization urges vigilance against malware and phishing, as well as possible account intrusions
As the COVID-19 pandemic pushes financial-services firms to adopt digital and remote work setups, the Investment Industry Regulatory Organization of Canada (IIROC) is cautioning its members against cybersecurity threats.
“With the COVID-19 pandemic, there is new and changing information available everyday,” IIROC said in a recent notice. “Unfortunately, with any crisis comes bad actors who will try to exploit the crisis.”
The self-regulatory organization warned its members to treat coronavirus-themed text messages, emails, attachments, links, and websites with caution. It noted a risk that such communications or online assets could contain malware, or be used in a broader phishing attack through which hackers attempt to access unsuspecting victims’ network, personal information, or assets.
“If you click on a suspicious link or access … an attachment, notify your IT service provider and disconnect your internet connection immediately,” IIROC said, reminding people not to shut down their computers at that point.
“In general, if you are unsure about the validity of any emails received, please check with your IT service provider,” the regulatory organization said. Service providers should also ensure that even in a work-from-home setting, members will continue to get critical software security patches, it added.
IIROC also urged members to exercise prudence when viewing unexpected emails, particularly those that ask recipients to open a link or attachment, or provide personal, login, or banking information. It also asked members working from home to keep laptops, phones, and other mobile devices secure, and refrain from using unauthorized devices, or accessing unsecure websites or wireless networks.
Noting an increase in potential client account intrusions, it reminded members to make sure their controls or processes to prevent or detect such events — including real-time alerts and post-trade compliance reviews, two-factor authentication, and blocking access or requiring further authentication for unrecognized IP addresses, among others — are operational and working as intended.
“As a reminder, IIROC expects any Dealer Member that has experienced problems with account intrusions to advise IIROC of the activity,” the SRO said.
