As concerns about the digital security of Canada’s financial system continue to increase, regulators have introduced new rules requiring investment dealers to report any cybersecurity incidents. A big challenge is how those companies will get their investment advisors to be their eyes and ears on the ground.
In mid-November, the Investment Industry Regulatory Organization of Canada (IIROC) introduced mandatory cybersecurity incident reporting for its member dealers. They must inform the self-regulatory organization (SRO) of any cybersecurity incidents that disrupt their businesses in two ways. According to the rules, they must first “provide a preliminary description of the incident and steps taken to mitigate” its impact within three days. Then they “must provide a detailed investigation report, outlining the cause and scope of the issue, and steps taken to mitigate the risk of harm to investors and to the firm” within 30 days.
These new rules arrived just days before the Bank of Canada published its biannual Financial System Survey, in which senior experts who specialize in risk management provide their views on the resilience of Canada’s financial system. The danger of a large cyber incident ranked among the top three risks along with a general deterioration in the global economic outlook and a materialization of geopolitical risk events.
Dealers rely heavily on everyone in the organization when responding to cybersecurity incidents, says Bradley Freedman, partner and national co-leader of the cybersecurity law group at Borden Ladner Gervais LLP in Vancouver.
“Cybersecurity and privacy are team sports because they require a co-ordinated response."
Advisors are a part of that team. As they deal with clients and their sensitive information every day, they represent the front line in any cybersecurity-related effort, says J.R. Cunningham, vice-president of strategic solutions at Herjavec Group, a Toronto-based provider of cybersecurity products and services to enterprises.
“In a lot of other campaigns centered around awareness, ‘If you see something, say something’ is a great tagline,” he says.
Advisors have a responsibility to educate themselves about cybersecurity, says Irene Winel, IIROC’s senior vice-president of member regulation and strategy.
“It’s a matter of good service and good business practice for advisors to stay up to date."
Ms. Winel points to several IIROC resources to help advisors spot and report suspicious incidents. These include a Cybersecurity Best Practices Guide, a Cyber Incident Management Planning Guide and a Cybersecurity Tips for Advisors webcast continuing-education course.
At the same time, dealers themselves can be proactive in helping their advisors be aware of what to look for, Mr. Freedman says.
“An essential part of cyber risk management and privacy protection is education and training,” he says. “It can be done at a relatively low cost with significant return.”
Dealers can teach advisors what to watch out for without requiring them to be experts in technology-related matters, Mr. Cunningham says. They don’t have to be tech-savvy to understand what personally identifiable information means.
Dealers must make cybersecurity awareness training relevant to advisors, he adds. That means moving beyond dry lectures in an airless conference room and engaging advisors with practical exercises. In one increasingly common approach, companies send out fake phishing campaigns to test employees’ and contractors’ cybersecurity readiness. Companies can even gamify these exercises to help create a sense of healthy competition.
In many cases, it will be obvious to advisors immediately when they’ve done something wrong. “We’ve all had that lump in our throat after we clicked on a link and thought, ‘I shouldn’t have done that,’” Mr. Cunningham says.
The key to reporting cybersecurity incidents successfully is ensuring that advisors know what to do in those situations – namely, escalating the incident quickly so that the right people can deal with it.
“If something doesn’t seem right, knowing who to call and who to engage at a given time is what’s really important,” Mr. Cunningham says.
Advisors – especially those who report their own mistakes – must feel confident that they won’t be punished. It’s up to executives to create an atmosphere of trust, Mr. Cunningham adds.
Dealers may even consider giving advisors an incentive to report any cybersecurity incident, he suggests. That can be especially useful when dealing with large networks of independent advisors. Mr. Cunningham often sees this in retail and restaurant franchises.
“They’ll say, ‘If you adopt our standards, maybe we’ll help underwrite your cyber insurance risk or we’ll pay for your cyber policy because we’re confident that if you follow our technical standards, you’re not going to be breached.’”
Dealers could also engage advisors as active cybersecurity partners by brokering cybersecurity services. An investment company could procure technology protection tools and offer them to advisors at preferential rates to help engage them in cybersecurity reporting practices.
At the end of the day, advisors will need to keep honing their skills as dealers innovate with new technologies and hackers get ever more dangerous, Mr. Freedman warns.
“This is a permanent state of being for the foreseeable future. Organizations have to be on guard. They have to invest in people, processes and technologies to manage cyber risks and to protect the privacy of personal information.”