Cybersecurity in the News

Cybersecurity in the News

MLex (subscription required) – July 4, 2018 – UK financial cyber-resilience program may have global influence

Key passages:

  • • The Bank of England and the UK’s Financial Conduct Authority last week set out plans for domestic financiers — banks, insurers, investment firms and the like — plus market infrastructure such as payment systems, exchanges and clearinghouses.
  • • UK companies will be expected to develop — and assure regulators of — their ability to bounce back and minimize disruptions from cyberattacks, computer-system shutdown, power outages or other system mishaps.
  • • The regulators remain a ways off from drafting rules, but sketched out their intentions in a paper seeking public input.

Investment Executive – May 2, 2018 – ECB publishes framework for testing resilience to cyber attacks

Key passage:

  • • TIBER-EU aims to mimic the tactics, techniques and procedures of real hackers.

Investment Executive – April 5, 2018 – IIROC proposes mandatory reporting of cybersecurity incidents

Key passages:

  • • The proposals introduce the obligation to report cyber incidents to IIROC within three calendar days of discovering an incident and to provide a more comprehensive report on the incident within 30 days.
  • • IIROC is proposing the new requirements due to the increasing frequency and sophistication of cyber attacks, the regulator says in a notice, and the fact that information sharing is essential for mitigating cyber threats.

IT World Canada – April 3, 2018 – Canadian mandatory breach notification starts November 1, no regulations yet

Key passages:

  • • Companies covered under federal law will have to report data breaches to customers, affected third parties and the federal privacy commissioner starting November 1, the government has decided.
  • • However, Ottawa still hasn’t proclaimed the regulations that firms will have to follow, which is puzzling privacy law experts.

GFMA – April 3, 2018 – GFMA issues guidance on cybersecurity penetration testing

Key passages:

  • • GFMA has released a framework of detailed guidance to help financial institutions adequately test the resilience of cybersecurity precautions through penetration testing and to assure regulators correct procedures are observed.
  • • “The goal of the GFMA proposal is not to compete with existing frameworks but rather to coordinate their development and use to ensure that financial institutions are able to safely, securely and efficiently increase their cyber resilience while complying with their supervisory requirements,” GFMA says.

Investment Executive – March 7, 2018 – Banks need to step up cybersecurity efforts: PwC

Key passages:

  • • Cybersecurity is a top concern throughout the industry, according to PwC Canada.
  • • It reports that more than half (52%) of financial industry executives see cybercrime as the biggest criminal threat facing their firms over the next 24 months, and 93% of bank and capital markets CEOs are already investing in enhanced cybersecurity.
  • • Despite these high levels of awareness and action, PwC Canada says that the banks must contend with a variety of challenges including, “increasingly sophisticated adversaries, rapidly evolving technologies, and multiple regulatory requirements.”
  • • These factors are prompting the need for banks to revisit their approach to security, and to “augment traditional controls with more layered and advanced controls,” it says.

IT World Canada – March 1, 2018 – Federal budget: RCMP, CSE to get new cyber crime fighting centres

Key passages:

  • • In its budget announced Tuesday the government proposes giving the Communications Security Establishment more than $155 million over five years to create a new Canadian Centre for Cyber Security to consolidate its cyber expertise from across the federal government under one roof.
  • • That includes the Canadian Cyber Incident Response Centre, the national threat sharing service.
  • • More importantly, the Centre for Cyber Security will have the mandate of providing residents and businesses with a place online to turn to for cyber security information.

Investment Executive – February 21, 2018 – SEC adopts guidance on cybersecurity disclosure

Key passage:

  • • The goal is to promote clearer and more robust disclosure by companies about cybersecurity risks and incidents

Compliance Week – March 1, 2018 – Financial firms collaborate to defend against cyber-threats

Key passages:

  • • A joint cybersecurity simulation effort by the Financial Services Sector Coordinating Council, the Treasury Department and the Financial Services Information Sharing and Analysis Center has resulted in a voluntary resiliency compliance program for financial institutions.
  • • The Sheltered Harbor adherence framework focuses on keeping customer account data secure in the event of a cyberattack through the use of a governance model, internal controls and an audit verification process.

Wealth Professional – March 1, 2018 – Are your employees liable for data breaches?

Key passage:

  • • A survey among over 5,000 businesses worldwide by Kaspersky Lab and B2B International showed that 52% if businesses admit that employees are “their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk.”

IT World Canada – February 20, 2018 – Cyber crime costs the world almost US$600 billion a year: Report

Key passages:

  • • Up from US $445 billion three years ago.
  • • That estimate comes from the latest Economic Impact of Cybercrime report by the Washington-based Center for Strategic and International Studies and McAfee.

Canadian Underwriter – January 25, 2018 – Buying a cyber policy? Make sure it’s retroactive

Key passages:

  • • When it comes to cyber insurance policies in Canada, retroactivity is noticeably absent from coverage
  • • Standard insurance policies do not support retroactivity, said Kevvie Fowler, partner, cyber risk with Deloitte Canada. But “if it’s a large enough policy,” insurers may be willing to insert a clause to support it.
  • • Complicating the issue of retroactivity, it usually takes organizations close to 200 days to notice or detect a breach, although that number is shrinking.
  • • “So people who sign up for policies basically cross their fingers and hope for 200 days that nothing has happened before the policy takes effect,” Fowler said.

Wealth Professional – January 24, 2018 – Why industry’s ‘silent machine’ is wary of cyber threat

Key passages:

  • • Fundserv may be the “silent machine” underpinning the mutual fund industry but it isn’t getting complacent.
  • • However, with the pace of technological change continuing at breakneck speed, it remains alert to the threat of cyber attacks and has created its own cybersecurity council, bringing together members to share knowledge on how to keep transactions safe from the “barbarians at the gate”.

Financial Post (Canadian Press article) – January 12, 2018 – Financial firm outsourcing increasing risk of cyber-attacks: IIAC

Key passages:

  • • The head of the Investment Industry Association of Canada says the risk of cyberattacks is being amplified by the significant outsourcing done by investment dealers and asset managers.
  • • Ian Russell told attendees at an Empire Club of Canada luncheon on Thursday in Toronto that firms’ financial integrity and cybersecurity may not be matched by third-party vendors hired to enhance efficiencies, compensate for scale and reduce costs.
  • • To remedy this, he says regulators within Canada need to co-operate and co-ordinate across the financial sector, involving insurance, banking and securities firms.

Investment Executive – December 13, 2017 – DTCC survey ranks top risks to financial stability

Key passage:

  • • Cyber risk was named the biggest threat by 36% of respondents to DTCC’s latest systemic risk barometer survey.

Insurance Business – December 10, 2017 – Is cyber insurance prompting more cyberattacks?

Key passages:

  • • Writing in The Enterprise Times, researchers at WatchGuard, a security company, have expressed concern that cyber insurance risks are fuelling an increase in ransomware.
  • • Cyber criminals are looking to exploit companies that actually have insurance in place – making them priority targets.

EY survey – November 21, 2017 – Organizations are at high risk from cyber attacks; common attack methods still successful, EY survey finds

Key passages:

  • • 56% of organizations surveyed are concerned about the increasing impact of cyber threats on their strategies and plans
  • • 87% say they require up to 50% more funding to address increased cyber threats
  • • Only 12% say they are likely to detect a sophisticated cyber attack

Investment Executive (Canadian Press article) – November 17, 2017 – Cyber Insecurity: the high stakes of data protection in an interconnected world

Key passages:

  • • Cyberattacks have become increasingly routine
  • • When Victor Dodig checks his phone in the morning, the chief executive of CIBC dreads reading that any government or corporation, anywhere in the world, has been hacked, he told an OSC panel last month.
  • • “Obviously, it would be more of a concern if our institution was, but we’re so interconnected that one weak link creates an issue for all of us.”

Conseiller.ca – November 15, 2017 – Cybercriminalité : les attentes de l’AMF envers l’industrie

Key passage:

  • • Dans le dernier numéro d’Info-Conformité, l’Autorité des marchés financiers (AMF) dit s’attendre à ce que les intervenants du secteur mettent en place les mesures d’atténuation du risque qui s’imposent en matière de cybersécurité.

Insurance and Investment Journal – November 14, 2017 – Some high-profile cyber-attacks caused by neglect, says IIAC president

Key passages:

  • • Cyber security remains a major thorn in the side of international regulators, says the president and chief executive officer of the Investment Industry Association of Canada (IIAC).
  • • Presentations made at the [recent IOSCO] meeting indicated that most high profile cyber-attacks, such as the Equifax breach, “can be traced, not to sophisticated techniques, but to neglect implementing basic elements of protection: too open-ended access to administrative controls over the technology systems and failure to place effective ‘patches’ specifically on identified areas of the software system.”

CNBC – November 9, 2017 – SIFMA’s Quantum Dawn IV drill gauges resilience against major cyberattack

Key passages:

  • • SIFMA conducted its Quantum Dawn IV drill this week. “A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing.
  • • No single actor — not the federal government, nor any individual firm — has the resources to protect markets from cyber threats on their own,” said SIFMA President and CEO Kenneth E. Bentsen.

SIFMA – November 2, 2017 – SIFMA Testifies on Cybersecurity Priorities

Key passage:

  • • SIFMA’s testimony notes that there is likely no greater threat to financial stability than a large-scale cyber event, so SIFMA and its member firms are deeply committed to improving our sector’s cybersecurity resiliency and working with government partners to protect the broader economy.

Investment Executive – September 28, 2017 – Cyber insurance brings opportunities, challenges for insurers

Key passage:

  • • Growth is being driven by increasing risk and awareness of cyber attacks

Investment Executive – September 26, 2017 – SEC moves to combat cyber threats, protect retail investors

Key passages:

  • • A dedicated new Cyber Unit, launched by the SEC’s enforcement division “will focus on targeting cyber-related misconduct.”
  • • At the same time, the regulator is setting up a Retail Strategy Task Force to address issues that primarily impact retail investors.
  • • The task force will develop “targeted initiatives to identify misconduct impacting retail investors,” ranging from unsuitable product sales to microcap pump-and-dump schemes.

Investment Executive – September 7, 2017 – Greater efforts to fight cyber attacks needed, industry institute says

Key passages:

  • • Among other things, the Institute of International Finance (IIF) calls for greater collaboration between the industry and regulators on effective cybersecurity practices.
  • • It also advocates removing impediments to sharing information across the financial system.

Reuters – September 5, 2017 – SEC chief says cyber crime risks are substantial, systemic

Key passages:

  • • SEC’s Clayton: Investors don’t fully grasp cybercrime threat
  • • Regulators must work harder to help individual investors appreciate the risks presented by new technologies that cybercriminals use to commit fraud, said SEC Chairman Jay Clayton.
  • • He said he plans to give cybersecurity a high priority in the SEC’s enforcement actions.

Investment Executive – July 31, 2017 – New York boosts cybersecurity

Key passage:

  • • State regulator launches online portal for financial firms to report possible breaches

Investment Executive – July 17, 2017 – IIAC aims to help investment dealers gauge cybersecurity risks

Key passages:

  • • The association has created a survey that investment dealers could use to gauge the risks that third-party service providers present
  • •Industry regulators have flagged due diligence by industry vendors as a key component of the industry’s cyber defences, the IIAC notes.

The Globe and Mail – July 11, 2017 – Editorial: The new cyber-threats, and how to stop them

Key passages:

  • • High-level breaches are already happening more often, and at higher cost, than most people realize.
  • • A recent study by the Ponemon Institute on the costs of data leaks found the average breach in Canada, defined as the loss, theft or exposure of financial or medical information, cost $5.8-million to fix, investigate and mitigate.
  • • The institute looked at 27 major companies, which lost an average 21,000 records per occurrence.
  • • The cost figure is actually down slightly from last year, but that’s not the report’s most interesting finding. Roughly half the breaches were due to software glitches or human error; the cyber equivalent of a business damaging its own merchandise. The other half were the result of criminal or malicious activity – the electronic equivalent of a break and enter.

Reuters – June 8, 2017 – New SEC enforcement chiefs see cyber crime as biggest market threat

Key passages:

  • • The SEC has appointed two enforcement chiefs, Stephanie Avakian and Steven Peikin.
  • • In a joint interview, the pair said that cybercrime poses the greatest threat to the industry and that they intend to take particular action to curb it.

Investment News – May 17, 2017 – SEC alerts advisers on WannaCry ransomware cyberattacks

Key passage:

  • • The SEC has issued a cybersecurity alert emphasizing that broker-dealers and other financial-services professionals should conduct regular vulnerability scans and penetration tests of critical computer systems.

New York Times – May 17, 2017 – With Ransomware, It’s Pay and Embolden Perpetrators, or Lose Precious Data

Key passage:

  • • Thousands affected by the global digital attack must decide whether to fork out money to gain control of their computers or face losing their data forever.

Reuters – May 17, 2017 – China’s banking regulator to step up protection after cyber attack

Key passage:

  • • The China Banking Regulatory Commission says it will increase data security after a global cyberattack over the weekend, promising tougher new legislation, reviewing its own procedures and urging banks to conduct assessments, early warning and prevention for such events. The attack affected an estimated 30,000 entities in China, although the CBRC said no banks were infected.

Investment Executive – May 8, 2017 – The cybersecurity challenge – a three-part series

Key passages:

  • • Keeping current on cybersecurity threats – Understanding the digital perils is the first step in protecting your practice
  • • Lessons learned from recent cyber attacks ­ These examples reveal some of the tactics that hackers use and the steep costs they can have for firms
  • • You’ve been hacked. Now what? How to deal with digital breaches before and after they happen

Investment Executive – April 6, 2017 – CSA recommends greater co-operation on cybersecurity

Key passage:

  • • The investment industry’s informal approach to information sharing and communication works well, but improvements are needed, CSA report finds.

The Globe and Mail – March 28, 2017 – Companies need to plan for handling a cybersecurity breach

Key passage:

  • • [W]hile it’s true that Canadian companies are increasingly preparing for the financial, legal and technical implications of a breach, many continue to overlook developing a communications strategy, which is critical in the early hours and days of a breach when it comes to protecting reputation over the short and long term.
  • National Law Review – March 24, 2017 – Mnuchin makes cybersecurity top tech priority

    Key passages:

    • • Treasury Secretary Steven Mnuchin said that because the safety of the financial system is critical, he has made cybersecurity his top technology priority.
    • • He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.

    National Law Review – March 24, 2017 – Mnuchin makes cybersecurity top tech priority

    Key passages:

    • • Treasury Secretary Steven Mnuchin said that because the safety of the financial system is critical, he has made cybersecurity his top technology priority.
    • • He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.

    New York Times – March 23, 2017 – The Next Front in Cyberwarfare

    Key passages:

    • • One of the biggest bank robberies of all time has shown what could be the next front in cyberwarfare.
    • • The United States attorney’s office in Los Angeles is said to be examining the extent to which the North Korean government aided and abetted a heist in which $81 million was stolen from the central bank of Bangladesh in February 2016.
    • • Federal prosecutors are building cases that would target Chinese middlemen who prosecutors believe helped North Korea orchestrate the theft, according to The Wall Street Journal, which earlier reported the potential charges.

    Fortune.com – March 7, 2017 – Cybercriminals impersonate SEC to get inside information

    Key passages:

    • • In an effort to gain access to inside information, cybercriminals are posing as SEC officials in emails to corporate executives, lawyers, compliance officers and others who have roles in submitting documents to the SEC.
    • • FireEye, the security firm that spotted the practice, said the online scammers are probably part of an Eastern European criminal organization that profits by basing trading on inside information.

    Financial Post – March 8, 2017 – New York’s new financial cyber security laws have Canadian experts taking note

    Key passages:

    • • Regulated financial institutions must ensure that all third-party companies with which they do business demonstrate a minimum level of cyber security and report any breaches that impact their data.
    • • “What this means for small to medium sized Canadian businesses is, you may not see yourself as a risk, but the Big Five [banks] that you do business with are going to start seeing you as one. So you’re going to need to demonstrate your cyber readiness,” says Katherine Thompson, Cyber Council Chair at the Canadian Advanced Technology Alliance.

    Fortune.com – March 7, 2017 – Cybercriminals impersonate SEC to get inside information

    Key passages:

    • • In an effort to gain access to inside information, cybercriminals are posing as SEC officials in emails to corporate executives, lawyers, compliance officers and others who have roles in submitting documents to the SEC.
    • • FireEye, the security firm that spotted the practice, said the online scammers are probably part of an Eastern European criminal organization that profits by basing trading on inside information.

    IT World Canada – March 7, 2017 – Cyber security certification program for Canadian SMBs to launch soon

    Key passages:

    • • CyberNB, a wing of the New Brunswick government aiming to make the province a cyber security hub, has quietly announced it is adopting for use in this country the U.K. Cyber Essentials program certifying small and mid-sized companies have met certain minimum security standards.
    • • In addition to being brand for competitive advantage, the program should also be a spur to SMBs to improve their IT security.
    • • CyberNB hopes to officially launch the program in several provinces in April.

    IT World Canada – March 2, 2017 – Mandatory cyber audits coming for publicly-traded companies, Canadian audience told

    Key passages:

    • • Governments or regulators are getting so sensitive about cyber security they may demand publicly-traded companies to undergo annual cyber audits as well as financial audits, says a former U.S. Homeland Security secretary who is now a consultant on risk management.
    • • Tom Ridge made the prediction to a Canadian audience at the third annual International Cyber Risk Management Conference in Toronto, where he also repeatedly asserted that to fight cyber attacks the public and private sectors have to build resilient organizations.

    IT World Canada – March 2, 2017 – Canada under-invests in IT, senior bureaucrat tells cyber security conference

    Key passages:

    • • Scott Jones, assistant deputy minister of the Canadian Communications Security Establishment – which is responsible for securing federal government networks — said Thursday at the third International Cyber Risk Management Conference in Toronto.
    • • He said the public and private sectors are going to have to work better together on cyber defence, but also wondered if governments need carrots or sticks to get operators of critical infrastructure to improve their cyber security.

    Advisor.ca – February 28, 2017 – Major data breach touches U.S. robo, but risk ‘extremely low’

    Key passages:

    • • Betterment, a U.S. robo-advisor, was on an unofficial list of affected sites compiled on Github.
    • • Betterment stressed that it “is confident that customer account information is safe. Additionally, Cloudflare performed its own internal review and determined that Betterment’s data was not included in the information exposed by the vulnerability.”

    Reuters – January 26, 2017 – Hong Kong securities brokers hit by cyber attacks, may face more: regulator

    Key passages:

    • • Hong Kong’s securities regulator said brokers in the city had suffered cyber attacks and warned of possible further incidents across the industry.
    • • In a circular to licensed firms late on Thursday, the Securities and Futures Commission (SFC) said it had been informed by the Hong Kong police that brokers had encountered so-called “distributed denial of service” (DDoS) attacks targeting their websites and received blackmails from criminals.

    Investment News – January 17, 2017 – N.Y.’s cybersecurity rules take effect March 1

    Key passages:

    • • Financial-services providers operating in New York will face new cybersecurity regulations, which include having a designated chief information security officer, starting March 1.
    • • “New York is creating a standard that will probably be a catalyst for a national change,” said John Cunningham of Docupace Technologies.

    The Globe and Mail (subscription required) – December 29, 2016 – Top five worries of mid-sized companies for 2017

    Key passages:

    • • 3. Cybersecurity.
    • • Despite the average hack leading to the loss of just less than two million files, according to risk management and advisory firm Willis Towers Watson, there is lots of talk but little action.
    • • In its latest Cyber Claims Brief, Willis Towers Watson suggests companies implement a comprehensive information security plan that includes “a cyber-risk assessment, external penetration testing (sometimes called ethical hacking, in which external cyber defenses are tested), as well as an internal evaluation.”
    • • A good start would be fairly low-tech and inexpensive.
    • • “If I were a medium-sized employer, I would buy every single person on my payroll a password manager,” says Barry Sharp, chief executive officer of AMA Management Ltd. in Vancouver.

    Canadian Business – December 21, 2016 – Cyber-security gaps that small businesses need to to watch out for

    Key passages:

    • • Small businesses often think that they’re not big enough for hackers to bother with, but that’s not the case.
    • • Here are the parts of the business most at risk
    • • Mobile devices, Internet of Things, Passwords, E-Commerce, Employees

    Financial Post (Reuters article) – December 28, 2016 – New York financial regulator eases proposed cyber rules after industry complaints, delays launch

    Key passages:

    • • “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.
    • • The Department of Financial Services responded by easing some timelines and requirements, including standards for encrypting data and authenticating access to networks.
    • • The new draft also gives firms more time to comply with the rules, expanding the transition period from six months to as much as two years.
    • • The agency said it would finalize the rules after a 30-day public comment period.

    Canadian Business – December 22, 2016 – Cyber-security gaps that small businesses need to to watch out for

    Key passages:

    • • Small businesses often think that they’re not big enough for hackers to bother with, but that’s not the case.
    • • Here are the parts of the business most at risk:
    • > ­Mobile devices
    • > ­Internet of Things
    • > ­Passwords
    • > ­E-Commerce
    • > Employees

    New York Law Journal (subscription required) – November 30, 2016 – Financial Industry Groups Slam NY State’s Proposed Cybersecurity Rules

    Key passages:

    • • SIFMA and other finance-industry groups are voicing concerns over New York state’s proposed rules outlining cybersecurity measures for protecting confidential client data.
    • • The plan is likely to impose “inflexible, one-size fits all requirements” within an “unworkable” timeline, the groups say in public comments.

    American Banker – November 29, 2016 – A Customer Data Bunker that Could Survive Catastrophe

    Key passages:

    • • FS-ISAC, in collaboration with various industry groups, including SIFMA, has pioneered the Sheltered Harbor plan through which banks will keep a secure backup of client data in an industry standardized format to allow recovery after a cybersecurity or natural disaster.
    • • “The data is encrypted, it’s immutable, it’s in storage, should another firm need to have access to it,” said Tom Wagner, SIFMA’s managing director of financial services operations.

    Pensions & Investments Monitor – November 28, 2016 – Managers might see cybersecurity regulations soon; Upcoming bank rules could serve as a model for money management firms

    Key passages:

    • • Rules being drafted by the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. governing cybersecurity in the banking industry could eventually be a model for regulations governing the money management industry, industry participants say.
    • • “It’s possible that the [SEC] or [CFTC] could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards,” says Charles Horn, partner at Morgan, Lewis & Bockius.

    Wall Street Journal (subscription required) – November 22, 2016 – Trade Groups Adopt Plan to Better Shield Depositors, Investors From Cyberattacks; Plan to fortify cybersecurity defenses by standardizing data storage for retail accounts

    Key passages:

    • • The plan, dubbed “Sheltered Harbor,” is intended to ensure depositors and investors that their accounts will be secure after a cyberattack.
    • • Financial institutions will store data that’s needed to recover an account in an industry-standard format so that client information can be restored at another location if the primary institution suffers an attack. The standards will go into effect in 2017.
    • • The new standard for data storage reflects the industry’s response to a series of cybersecurity exercises in the past few years, often with the cooperation of federal agencies including the Treasury Department and Department of Homeland Security.

    Investment Executive – November 17, 2016 – CSA to host cybersecurity roundtable in early 2017

    Key passages:

    • • The discussion will focus on examining cybersecurity in the securities industry and possible approaches to dealing with cyberattacks.
    • • Link to CSA Staff Notice 11-332 Cyber Security: https://www.osc.gov.on.ca/documents/en/Securities-Category1/sn_20160927_11-332-cyber-security.pdf

    Investment Executive – November 15, 2016 – Firms struggle with cybersecurity

    Key passages:

    • • Another challenge is lack of in-house expertise, says Susan Copland, managing director with the Investment Industry Association of Canada (IIAC) in Vancouver: “Not all members have in-house expertise to deal with this. [The challenge is in] finding outsourced resources to help them comply, because [cybersecurity] can get technically complex.”
    • • Sharing information can help here, she adds. Sharing experiences of security incidents and best practices can help investment firms learn from others in their community.
    • • Information-sharing efforts haven’t gained the traction they need among Canada’s investment firms, adds Copland, who points to the Financial Services Information Sharing and Analysis Center, a U.S.-based information- sharing group for the financial services sector that numbers Canada-based companies among its members, as a popular resource for Canadian investment companies.
    • • Regarding IIROC members’ self-assessments, Copland says, there is room for improvement, especially among smaller firms. Ensuring the security of third-party services vendors can be difficult, especially when those vendors are linked to an investment firm’s systems, she says.
    • • The IIAC and IIROC are creating a working group to address that issue, she adds.

    Investment Executive – October 19, 2016 – Canada is world’s fourth-largest cybersecurity hub, report finds

    Key passages:

    • • Ontario has been the main driver, and the province has the potential to further strengthen its cybersecurity dominance, which would benefit the financial services sector as well
    • • “Canada’s financial services sector has an international reputation for stability, safety and growth. And, it is headquartered right here in the Toronto-Waterloo innovation corridor, among one of the largest technology hubs in North America,” she adds. “This presents a huge opportunity to build capacity to support the financial services sector and to generate economic growth.”

    Conseiller.ca – October 14, 2016 – Une nouvelle infolettre mensuelle sur la cybersécurité

    Key passages:

    • • Le Financial Services Information Sharing and Analysis Center (FS-ISAC), l’Association canadienne du commerce des valeurs mobilières (ACCVM) et la Securities Industry Financial Markets Association (SIFMA) collaboreront à la publication d’un bulletin mensuel sur la cybersécurité et les nouvelles cybermenaces contre le secteur nord-américain des valeurs mobilières.
    • • Plus d’informations ici.

    Wall Street Journal (subscription required) – October 11, 2016 – Group of Seven Economies Reach Deal to Bolster Financial Cybersecurity

    Key passages:

    • • The Group of Seven has adopted guidelines to protect the financial sector from cyberattacks.
    • • Nonbinding agreement establishes common strategies to fortify online infrastructure.
    • • “SIFMA commends the initiative taken by the G7 to improve global coordination and consistency in the fundamental elements governing cybersecurity in the financial sector,” says Tom Price, SIFMA’s managing director of operations.

    Advisor.ca – September 28, 2016 – CSA pushes for online security improvements

    Key passages:

    • The CSA has published Staff Notice 11-332 Cyber Security to promote cyber-security awareness, preparedness and resilience in Canadian capital markets.
    • • We have identified cyber security as a priority in the CSA 2016-2019 Business Plan,” said Louis Morisset, Chair of the CSA and President and CEO of the AMF. “It is crucial for us to improve collaboration and communication on cyber-security issues with market participants. We want to ensure they are aware of the challenges, have a sufficient level of preparedness, and are as resilient as possible against cyber risks.”
    • • CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months. CSA expects to publish findings and recommendations from those reviews.

    Financial Post – September 10, 2016 – ‘They’re not safe’: Smaller firms, financial institutions becoming more vulnerable to cyber attacks

    Key passages:

    • • The head of the Investment Industry Association of Canada raised the alarm about cyber crime last year, acknowledging that many Bay Street firms weren’t as prepared as they should be.
    • • “Our focus, really, is making sure our small and medium sized (dealers) are secure,” says Susan Copland, managing director of the IIAC. “Because a breach at one firm affects everybody, not just through reputation but through the interconnections of the system.”

    IT World Canada – August 16, 2016 – Ottawa announces public consultation on cyber security strategy

    Key passages:

    • • The federal government has started a three-month public consultation on updating its cyber security strategy, asking security pros and citizens for input on how it should not only strengthen the national IT systems and critical infrastructure in the private sector but also help businesses and residents.
    • • Public Services Minister Ralph Goodale said Tuesday the consultation, which ends Oct. 15, will help identify gaps and opportunities, bring forward new ideas to shape Canada’s renewed approach to cyber security and capitalize on the advantages of new technology and the digital economy.

    The Globe and Mail – August 10, 2016 – Ten tips to keep your workplace data secure

    Key passages:

    • • 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.
    • • Ponemon’s 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.

    Canadian Underwriter – August 10, 2016 – Global cybersecurity market to grow from US$122.45 billion to US$202.36 billion by 2021: report

    Key passage:

    • • The Cyber Security Market – Global Forecast to 2021 report from the Dublin, Ireland-based global market research store reveals that the cybersecurity market is growing rapidly because of the increase in adoption of cybersecurity solutions, “due to the increase in security breaches targeting enterprises.”

    Conseiller.ca – July 27, 2016 – The Cybersecurity Industry Today: A Conversation with Congress and the Financial Services Industry

    Key passage:

    • • Le système financier mondial risque d’être à nouveau pris pour cible par des cyberpirates au cours des prochains mois, rapporte l’Agence France-Presse.

    SIFMA – July 26, 2016 – The Cybersecurity Industry Today: A Conversation with Congress and the Financial Services Industry

    Key passage:

    • • At a roundtable discussion on Capitol Hill, Members of Congress gathered with financial industry experts from Goldman Sachs, Morgan Stanley and Wunderlich Securities to discuss the state of the cybersecurity industry today and the role of America’s capital markets in funding cybersecurity initiatives.

    IT World Canada – July 14, 2016 – Ransomware in real time: How hackers infiltrate secured systems

    Key passages:

    • • “Virtually all acquirers must implement a rigorous diligence process when considering M&A targets,” says the report by West Monroe Partners, a U.S.-based business and technology consulting firm. “The nature of cyber threats is also changing constantly, requiring a nimble approach to due diligence.”
    • • How big an issue is it? According to a survey of 30 senior executives at corporate and private equity firms that frequently conduct M&A transactions 80 per cent said cybersecurity issues are highly important in doing due diligence on potential deals.
    • • The other 20 per cent who said they are somewhat important.

    Business in Vancouver – July 4, 2016 – Canadian companies are woefully behind when it comes to cyber security

    Key passages:

    • • There are forces at play now that aren’t satisfied with just stealing your money, they want to destroy your entity
    • • A survey of 2,200 companies across 18 countries has found that Canadian companies are among the least equipped to deal with cyber threats.
    • • The study ranks 18 countries based on the per cent of businesses that are adopters of effective modern cyber security procedures and technology. On a list of 18 countries Canada was number 15, ahead of only the Netherlands, Japan and the United Arab Emirates.

    Investment Executive – June 9, 2016 – U.S. authorities issue cybersecurity bulletin

    Key passage:

    • • FFIEC urges financial institutions to safeguard interbank messaging and payment networks

    Investment Executive – June 3, 2016 – SEC appoints cybersecurity senior advisor

    Key passage:

    • • Christopher Hetner will be responsible for co-ordinating efforts across the agency

    Investment Executive – May 27, 2016 – Minimizing the cybersecurity threat

    Key passages:

    • • What can advisors do to protect themselves against an online attack?
    • • Susan Copland, managing director at the Investment Industry Association of Canada, has some other pointers, including creating strong passwords for all devices and updating them regularly.
    • • ‘Strong’ in this context means words that aren’t found in the dictionary, and which include numbers, capital letters, and symbols.
    • • Other measures include ensuring that antivirus software on devices is up-to-date and signing out of programs when they’re not in use.
    • • A little scepticism goes a long way too, Copland points out; avoiding suspicious emails and attachments can prevent problems arising in the first place.
    • • Dealers should also follow the training and protocols put in place by their firms to protect confidential information, she adds.

    Investment Executive – May 25, 2016 – The growing threat of cyberattacks

    Key passage:

    • • Cyberthreats are becoming more devious, and they present a key risk to both your business and your clients. Here’s what advisors need to know

    The Globe and Mail – May 20, 2016 – Ransomware in real time: How hackers infiltrate secured systems

    Key passages:

    • • Security-software providers are in a constant cat-and-mouse game with ransomware makers who can find ways to penetrate even well-guarded systems.
    • • The following is an account of a real attack that happened in February of this year, as described by Chris Whidden, a security engineer based out of New York who works for Canadian security consultancy eSentire Inc.

    Office of the Information and Privacy Commissioner of Alberta – March 23, 2016 – Advisory for Ransomware

    Key passages:

    • • Ransomware is malicious software (malware) installed on your device or system, including smartphones and tablets, that encrypts the hard drive or specific files then demands a ransom be paid before the device or information is decrypted. Importantly, hackers may access your data during the course of an attack.
    • • The severity of the attack and the safeguards you have in place will impact your response. Generally, the following actions are recommended:
    • 1. Disconnect the affected device or system from the rest of the network and from the internet.
    • 2. Run anti-malware scans in an attempt to identify and remove the ransomware, if possible.
    • 3. If you are able to restore your files or system from backup, you do not need to submit to a ransom demand.
    • 4. Review the response plan and update, as appropriate.
    • 5. Further education on preventive measures.
    • • If a breach of personal information has occurred:
    • 1. Private sector organizations must consider if the intrusion presents a real risk of significant harm. If it does, under the Personal Information Protection Act, private sector organizations in Alberta must report the breach to the OIPC and may be required to notify affected individuals.
    • 2. Public bodies and health custodians are not required to report such incidents to the OIPC but are encouraged to contact the OIPC for advice and consider notifying affected individuals.

    Advisor.ca – March 1, 2016 – 5 cyber security trends affecting businesses

    Key passages:

    • 1. Increase in extortion-driven and ransomware incidents.
    • 2. Mandatory breach notification.
    • 3. Increased risk with use of mobile devices.
    • 4. Greater use of real-time intelligence tools to monitor live attacks.
    • 5. Greater focus on risks posed by third-party vendors and suppliers.

    CFO.com – February 24, 2016 – Financial Regulators Have Cyber on Their Minds

    Key passages:

    • • Financial regulators, struggling to keep up with the onslaught of new threats to the public’s sensitive financial and personal data, have spent the last few years examining corporate cybersecurity practices, policies, and procedures and communicating their expectations to executives.
    • • This year, expect regulators to hold companies accountable for their cybersecurity failings.

    IT World Canada – February 9, 2016 – Half of cyber attacks on Canadian firms succeed, survey suggests

    Key passages:

    • • A group of Canadian infosec pros say the number of cyber attacks their organizations faced increased 17 per cent in 2015 over the previous year, according a new survey, with just over half admitting sensitive information had either been lost or exposed.
    • • The study, done for Toronto-based systems integrator Scalar Decisions Inc., was compiled from responses of 654 IT and IT security practitioners in Canada in a wide variety of industries.

    CNBC – February 2, 2016 – Is your wealth manager a target for a cyberattack?

    Key passages:

    • • In FINRA’s annual Regulatory and Examination Priorities Letter, published Jan. 5, the agency identified cybersecurity as a technology management issue under the priority area of supervision, risk management and controls.
    • • The letter states: “FINRA will review firms’ approaches to cybersecurity risk management, and depending on a firm’s business and risk profile, we will examine one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”
    • • The SEC has also listed cybersecurity as a top priority in its Examination Priorities for 2016 notice because at least 74 percent of advisors have been a target of a cyberattack, according to a recent SEC examination.

    Advisor.ca – January 26, 2016 – One-third of businesses can’t detect cyber attacks

    Key passages:

    • • [A]ccording an EY survey, more than one-third (36%) of organizations still don’t believe they can detect sophisticated cyber-attacks.
    • • That number is lower than last year (56%), but still a concern as the level of sophistication in attacks continues to increase.

    Canadian Business – January 25, 2015 – Here’s why you should start encrypting your entire website

    Key passages:

    • • Consumers increasingly want more security from the companies they deal with. Encrypting your website is a good start.
    • • Customers want it. More importantly, Google wants it.
    • • Google announced that it now factors a website’s security into its search algorithm. In other words: sites using HTTPS will perform better in Google search results. “It’s only a very lightweight signal,” the company wrote, “but over time we may decide to strengthen it.”

    Investment Executive – January 13, 2016 – Employees are the main source of cybersecurity breaches

    Key passage:

    • • PwC report finds that there are several innocent ways that an employee can become involved in a cyber attack.

    Investment Executive – December 21, 2015 – IIROC guides help dealers boost cybersecurity preparedness

    Key passage:

    • • IIROC on Monday published two resources to help investment firms protect themselves and their clients against cyber threats and attacks.
    • • Article contains links to access the resources.

    Canadian HedgeWatch – December 5, 2015 – Canada’s investment dealers urged to make detailed plans to respond to cyber attacks

    Key passage:

    • • Blazing a Trail: The Investment Industry Association of Canada helps member firms counter the global cyber threat.

    National Post – November 25, 2015 – Canada’s investment dealers urged to make detailed plans to respond to cyber attacks

    Key passage:

    • • “The cyber threat is far too sophisticated and serious to relegate it simply to the firm’s IT department,” Ian Russell, chief executive of the Investment Industry Association of Canada, said in a letter to members Tuesday.

    BNN – November 24, 2015 – Ian Russell, IIAC President and CEO, outlines the six key elements of an effective cyber security plan

    Key passage:

    • • BNN interviews Ian Russell, president and CEO, Investment Industry Association of Canada, for more on what he calls the six key elements to a top notch cybersecurity plan.

    Advisor.ca – November 24, 2015 – How to protect against hackers

    Key passage:

    • • Financial industry firms have been and will continue to be prime targets of hackers. In his latest industry letter, IIAC president and CEO Ian Russell outlines the six key elements of an effective cybersecurity plan for Canada’s investment dealer firms.

    investmentexecutive.com – November 10, 2015 – Plan to be cyber resilient; IIAC chief Ian Russell outlines the critical elements of an effective cyber security program

    Key passages:

    • • Canadian financial services firms and advisory businesses should establish plans to protect their operations from cyber security threats, according to Ian Russell, president and CEO of the Toronto-based Investment Industry Association of Canada.
    • • “There is no way to make your company completely hack-proof, but you can establish systems in your organization to guard against most threats and, when one makes it through, you can deal with it quickly and efficiently before it does significant damage,” Russell told the 2015 Distinguished Advisor Conference in Puerto Vallarta on [November 9].
    • • Click on the article to access the critical elements of an effective cyber security program

    Financial Post – November 10, 2015 – Bankers say cyber security and disruption by new technologies top list of emerging risks

    Key passages:

    • • Eighty-three per cent of those polled during a [Global Risk Institute] conference in Toronto said Canadian financial institutions are vulnerable to technological disruption.
    • • “They’re clearly telling us that cyber security, [and] technology disruption is a thing that’s on their mind the most,” said Richard Nesbitt, chief executive of the Global Risk Institute.
    • • He said there is “considerable concern about vulnerability to cyber security — so hacking — because it’s such an uncontrollable risk.”

    investmentexecutive.com – November 4, 2015 – Cyber extortion attempts against financial firms are on the rise

    Key passage:

    • • Cyber attacks against financial institutions that aim to extort payments in return for the release of sensitive information are on the rise, the FFIEC cautions. “Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems,” the council says in a statement. “In addition, financial institutions should have effective business continuity plans to respond to this type of cyber attack to ensure resiliency of operations.”

    Economist.com – November 2, 2015 – Counter-at-hack; How business can fight back

    Key passage:

    • • Cyber-security will start to work next year, as smart organisations begin to use identifiers that are harder to copy, fake, steal or guess, such as fingerprints, retinas, posture, gait and even typing habits.

    Financial Post – September 22, 2015 – ‘If they haven’t been breached, they will be’: Companies well aware getting hacked is inevitable, though they won’t admit it in public

    Key passages:

    • • “If they haven’t been breached, they will be. I think every organization will concede today that it’ll only be a matter of time,” Ali Solehdin, a senior product manager at Absolute Software Corp. in Vancouver, B.C., said during a recent interview. “(Attackers) are spending lots of time learning and looking for vulnerabilities. In many cases, the attackers know more about the internal IT infrastructure than the organization knows.”
    • • As breaches become more commonplace, Solehdin believes the emphasis in cybersecurity should shift from defending to detection

    Investmentnews.com – September 22, 2015 – SEC nails advisory firm for cybersecurity failure before data breach

    Key passage:

    • • An [American] investment advisory firm has agreed to pay $75,000 to settle SEC charges that it failed to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals’ personal information, including records of some of the firm’s clients.

    Financial Post – June 5, 2015 – Michael Calce, aka ‘Mafiaboy,’ says hackers have companies ‘on the defence 24-7’

    Key passages:

    • • “I don’t want you to be paranoid – but you probably should be,” he told the crowd at a cyber security conference in Toronto on Thursday. 
    • • Calce made it clear during his talk at the Investment Industry Association of Canada conference that he has some practical advice that only comes with a fee for his services.