Skip to main content

'Cybersecurity is an area that has challenged many organizations because it's not within the skill set of any one person. You need to bring together all of these different skills,' says Ira Nishisato, a partner and cybersecurity expert in Toronto at law firm Borden Ladner Gervais.

atakan

Cybersecurity is top of mind for Canadian financial planners as firms adapt to evolving threats from hackers, phishers and ransomers.

While the financial services industry has long been a target, cyberattacks are growing more sophisticated and frequent. Last year, Statistics Canada reported more than one-fifth of Canadian businesses experienced a cybersecurity incident that impacted their operations.

Financial advisors are deploying a range of security measures not only to protect client data, but also to meet new national standards. Earlier this month, privacy rules designed to better safeguard Canadians’ personal information came into force, requiring businesses to report major data breaches to both affected individuals and the Privacy Commissioner of Canada or face fines of up to $100,000.

Story continues below advertisement

With regulations helping to drive awareness, small and large enterprises are putting plans in place to prevent major data breaches and to protect their businesses.

The Globe and Mail reached out to Canadian cybersecurity experts to discuss what firms are doing today to ensure their clients' information is not at risk.

Data security

When hackers try to breach financial service providers’ systems, they’re often looking for the crown jewels: clients’ personal information and other data-driven insights, such as investment profiles. One way firms are limiting risk is by purging unnecessary details.

“If you don’t have the data, you can’t lose it,” said Ira Nishisato, a partner and cybersecurity expert in Toronto at Borden Ladner Gervais, a law firm. “You build up information over time, but now there’s more of a focus on, ‘Do we need it?’ ”

Financial planners are also exploring cloud-storage services that offer data security through features such as end-to-end data encryption and multifactor authentication, which require two or more factors to access a system. For example, a username, password and time-sensitive code sent to a phone or other device.

Adriana Gliga-Belavic, a partner in PricewaterhouseCooper’s cybersecurity and privacy practice in Toronto, said companies may use this model to access e-mail or share documents, allowing them to store less data locally where it could be vulnerable.

Story continues below advertisement

“Not all organizations have the resources and skill needed for cybersecurity, and because of that, we see some businesses trying to leverage solutions in the cloud,” she said.

Even with these measures in place, Ms. Gliga-Belavic said firms are increasingly looking at a second line of defence: cyberattack insurance. The coverage protects companies against losses stemming from cyberattacks, including business interruptions, restoration expenses or third-party liability and financial losses. While the product is in its infancy, Statistics Canada reported almost 24 per cent of large businesses had cyber liability insurance in 2017 compared with 14 per cent of medium-sized businesses and 7 per cent of small businesses.

Employee awareness

When the public thinks of cyber threats, they often think of large-scale attacks by hackers in foreign places such as China or Eastern Europe. But as many firms know, employees can actually represent the biggest risk, Mr. Nishisato said.

A major security issue facing financial planners is the rise of phishing and malware attacks, such as ransomware. Phishing attacks occur when assailants try to steal data by tricking individuals into opening a message and clicking a link, which can install malware or other software that breaches corporate networks to access sensitive information. In the case of ransomware, hackers can hold data hostage, forcing companies to either pay or lose access and watch confidential information leak.

As hackers become more sophisticated, there’s also been an uptick in “spear-phishing,” where assailants do background research and target specific individuals within an organization.

Story continues below advertisement

“If I get an e-mail from China asking me to click on a catalogue of light bulbs, I’m not very likely to be interested in that,” Mr. Nishisato said. “But if they know you work for an electrical company and your job involves procuring light bulbs, that kind of e-mail is now relevant.”

In response to these threats, many Canadian companies now run simulation tests of phishing e-mails to see whether employees can spot them or not.

Ms. Gliga-Belavic emphasized the importance of employee awareness, training and cultural shifts within businesses.

“It’s about changing the approach from, ‘We’re not going to be breached,’ to ‘We will be breached, and if someone is knocking on our door every day, how prepared are we to respond?’ ” she said.

Cybersecurity teams

To bolster their defences, some financial planning firms are putting together multidisciplinary cybersecurity teams, made up of experts in fields such as information technology, privacy law and public relations. In 2017, 74 per cent of Canadian businesses had employees primarily responsible for cybersecurity, according to Statistics Canada.

Story continues below advertisement

“Even a couple of years back, not a lot of people were aware of cyber risk, now most organizations are and why they need to do something about it,” Ms. Gliga-Belavic said.

Mr. Nishisato said firms may have designated cybersecurity employees or mix internal and external support, relying, in part, on outside specialists.

“Cybersecurity is an area that has challenged many organizations because it's not within the skill set of any one person. You need to bring together all of these different skills,” Mr. Nishisato said.

Due to the high stakes of data breaches and the potential harm to businesses’ reputations, firms need the ability to react fast. He said one tool companies use are incident response plans that not only specify who is on the security team, but what the protocols are and what procedures need to be followed in the event of a data breach or threat. Mr. Nishisato said many firms engage in regular testing of those plans to make sure that the team is trained and ready to go.

“We’re getting better, but cybersecurity is a moving target with technology and the evolving nature of cyber threats,” Mr. Nishisato said. “It’s a continuing challenge.”

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.