Brent J. Arnold
Associé
Article
35
Canadian securities regulators have issued a notice on cyber security and social media [1] which brings into sharp relief the rapid pace of the threats investment dealers and advisers now face as a result of the increased targeting of the financial industry by cyber criminals. In light of the scope of these challenges, it is worth taking a comprehensive look back at the developments over the past few years so firms can better protect themselves going forward.
The past two years have seen cyber attacks and cyber security move from the business section to the front page, with high-level breaches affecting everything from the sanctity of democratic elections to the privacy of individuals as consumers and even as patients. Recent hacks have borne out industry predictions of an increasing shift from opportunistic attacks on unsophisticated individuals, to continued attacks on gatekeepers of consumer information (e.g. the recent Equifax breach), to breaches of targets holding higher value financial information (see the Deloitte breach and, more troubling still, the attack exploiting the U.S. Securities and Exchange Commission's EDGAR filing system[2]). As holders of high-value financial information become prime targets for cyber attacks, investment dealers must be more vigilant and prepared than ever before.
A cyber attack in the Canadian marketplace could severely threaten market integrity and undermine investor confidence; and investment dealers have clearly given thought to the repercussions of such attacks on their business. A number of regulators have canvassed market participants to assess the scope of these threats.
In early 2015, the Investment Industry Regulatory Organization of Canada (IIROC) conducted a survey of dealer members' preparedness to deal with cyber attacks. It noted that it was using the information gathered during these assessments to develop best practice recommendations, as well as an incident response guide. The survey found that:
In the past year, Canadian securities regulators have reported the results of a review of the recent annual filings of 240 companies listed on the S&P/TSX Composite Index. The review focused on the quality of the disclosure relating to cyber security issues in the companies' respective risk disclosures. Some of the key findings included:
In sum, while some companies have turned their minds to cyber security threats in their disclosure, there is still a lot of room for improvement. As discussed below, Canadian securities regulators have also published a number of important recommendations to assist companies in this regard.
The most recent notice from Canadian securities regulators sets out the results of a survey related to cyber security and social media practices from 2011-2016 by investment fund managers, portfolio managers and exempt market dealers. The results provide an interesting and possibly troubling snapshot of the industry. Among the troubling results:
Among the positive results:
Cyber security has been identified as one of the top enforcement priorities of Canadian and American securities regulators. Canadian securities regulators have called on dealers to "be aware of the challenges of cyber-crime and [should] take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients or stakeholders."[4] The Ontario Securities Commission (OSC) has noted that "[r]obust cyber security measures are an important element of the controls of issuers, registrants and regulated entities in ensuring the reliability of operations and the protection of confidential information."[5] The OSC has also indicated it will evaluate these controls in its oversight of registrants and regulated entities in Ontario.[6]
The importance of cyber security was also raised in IIROC's Annual Compliance Report for 2014/2015[7] and on December 21, 2015, following their aforementioned survey of IIROC-regulated firms regarding cyber security, IIROC published two resources to help firms protect themselves and their clients against cyber threats and attacks: the Cybersecurity Best Practices Guide[8] (the "Best Practices Guide") and the Cyber Incident Management Planning Guide[9] (the "Incident Guide").
The Best Practices Guide, described as a "living document",[10] is intended to provide a voluntary set of industry standards and best practices to help IIROC Dealer Members manage cyber security risks[11].
Some of its key points include:
The Incident Guide is intended to assist IIROC members in preparing an internal cyber-incident response plan, setting out voluntary cyber security strategies, guidelines, and tools for small and mid-sized IIROC Dealer Members.
As with the Best Practices Guide, IIROC notes that the Incident Guide "is not intended to create new legal or regulatory obligations or modify existing ones."[12] Instead, it lists five steps in preparing for and responding to cyber security incidents. These include:
The Best Practices Guide and the Incident Guide set forth a voluntary risk-based cyber security framework and are not intended to create new legal or regulatory obligations or modify existing ones. However, given the vulnerabilities that investment dealers can face,[13] dealer firms would do well to review the content of these resources and to, at the very least, consider whether they are compliant.[14]
IIROC has followed up on these initiatives by providing dealers with individualized, confidential 'report cards' comparing their practices and processes to firms of similar sizes and with similar business models.[15] And, in its announcement of strategic priorities for 2018, IIROC has reaffirmed its commitment to helping dealers improve their cyber security preparedness.[16]
For their part, Canadian securities regulators published a number of key recommendations in their 2017 notices. At the beginning of the year, they provided guidance on risk factor disclosure and incident reporting. Among the key highlights, they recommended:
And most recently, Canadian securities regulators weighed in with further guidance on how registrants can better protect their firms from cyber attacks. Some of the key highlights include:
Canadian securities regulators also offered guidance on cyber-threats related to social media being used as a vehicle to carry out attacks against registrants, suggesting that firms have guidelines on appropriate use and content of social media, and should monitor authorized and unauthorized use of social media by firm employees.
Cyber security has been on the radar of the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) since at least 2007.[17] In fact, it was referred to by President Obama, early on in his first term, as "one of the most serious economic and national security challenges" the country faced[18].
In January 2014, FINRA initiated a sweep to better understand the types of threats to which member firms were subject, as well as their response to those threats.[19] The subsequent Report on Cybersecurity[20] identified the top three threats facing firms as:
On January 11, 2016, the SEC announced its 2016 Examination Priorities. For the third straight year, among them was a focus on broker dealers' and investment advisers' cyber security compliance and controls.[22]
While Canadian securities regulators' current focus seems to be on establishing a culture of awareness of the risks of cyber attacks and the importance of proactive management,[23] the SEC has already begun prosecuting firms for failure to adopt written policies and procedures designed to protect customer data. In a September 2015 case, RT Jones,[24] the SEC found that the investment adviser failed to establish the required cyber security policies and procedures in advance of a breach (hacker attack) that compromised the personal information of approximately 100,000 individuals - many of them clients of the firm. Though there was no evidence of any financial harm, the investment adviser was fined $75,000 and was required to adopt a written information security policy to comply with the cyber security regulations.[25]
Because of their continued and increasing reliance on technology, the interconnectedness of the financial sector, and their access to sensitive/confidential information and world markets, investment dealers are subject to a variety of potential cyber threats. The three greatest threats, in order of importance, are:
As with the RT Jones case cited above, investment dealers face regulatory action for failure to adequately protect confidential information. Other than regulatory action, however, dealers could also be subject to other forms of liability, including financial penalties, reputational loss, and civil claims for negligence, statutory breach, and breach of contract. Class action lawsuits against investment dealers are also possible.
There is no "one-size-fits-all" model for a cyber security infrastructure, but a consensus has emerged on the importance of the following measures:
While relatively little Canadian case law exists, emerging U.S. decisions will doubtlessly inform the expectations of Canadian judges and regulators in assessing whether dealers and advisers who fall prey to attacks did enough to protect their clients. These cases contribute to a growing laundry-list of expectations that companies and firms should expect to face in the future. For instance, a recent settlement proposal submitted for court approval in a massive U.S. consumer data breach case adds the following expectations[35] to this growing list:
When announcing the publication of the Best Practices Guide and Incident Guide, IIROC President Andrew Kreigler stated that "[a]ctive management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and protection of investors."[36]
The continued and increasing reliance on technology, the interconnectedness of the financial sector, as well as the critical role that financial institutions play in the overall economy puts investment dealers and advisers at the forefront of those who should be vigilant and ensure preparedness. They are uniquely positioned to be both victims of, and leaders in, this sphere; and regulators in both Canada and the U.S. have given clear indications that they expect dealers and advisers to be pro-active in their approach to cyber security.
Again, while there is no "one-size-fits-all" model, at a minimum, investment dealers and advisers should ensure that their Boards and upper management are aware of the cyber security risks faced by their firm and have in place a proper policy to be able to detect, prevent, and remediate a potential security breach.
[1] Cyber Security and Social Media, CSA Staff Notice 33-321 (October 19, 2017).
[2] Peter J. Henning, "S.E.C. Hacking Response Provides Road Map for Compromised Companies," New York Times (September 26, 2017).
[3] Dealer Member Cyber-security, IIROC Notice 15-0294 (December 21, 2015), online: http://www.iiroc.ca/Documents/2015/c2bdf778-b972-45ec-9bf0-bb1fa8c83706_en.pdf.
[4] Cyber Security, CSA Staff Notice 11-326 (September 26, 2013), online: https://www.lautorite.qc.ca/files//pdf/reglementation/valeurs-mobilieres/0-avis-acvm-staff/2013/2013sept26-11-326-avis-acvm-en.pdf. The CSA also requires registered firms to establish, maintain and apply policies and procedures that establish a system of controls and supervision – see Registration Requirements, Exemptions and Ongoing Registrant Obligations, National Instrument 31-103 (July 17, 2009)
[5] Annual Report 2014, OSC (undated), online: https://www.osc.gov.on.ca/documents/en/About/rpt_2014_osc-annual-rpt_en.pdf at 22.
[6] Annual Report 2014, OSC (undated), online: https://www.osc.gov.on.ca/documents/en/About/rpt_2014_osc-annual-rpt_en.pdf at 22. The OSC has also stated that it expects to find, as part of a firm's system of controls, procedures to protect confidentiality of client information, including cyber security – see Elements of an Effective Compliance System, Exhibit 2: Expectations for Content of Policies and Procedures Manual, OSC online: http://www.osc.gov.on.ca/documents/en/Dealers/ro_20150623_exhibit2-expectations-content.pdf.
[7] Annual Consolidated Compliance Report, IIROC (January 27, 2015), online: http://www.iiroc.ca/Documents/2015/0bdb279a-eb58-484e-a164-4748e96c478b_en.pdf.
[8] Best Practices Guide, IIROC (December 21, 2015), online: http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf.
[9] Cyber Incident Management Planning Guide: For IIROC Dealer Members (Incident Guide), IIROC (December 21, 2015), online: http://www.iiroc.ca/industry/Documents/CyberIncidentManagementPlanningGuide_en.pdf.
[10] Best Practices Guide, supra note 8 at 4.
[11] Best Practices Guide, supra note 8 at 3.
[12] Incident Guide, supra note 9 at 3.
[13] For example, the value and sensitivity of data held by these firms, the interconnectedness of the systems and common service providers. See Investment Industry Association of Canada, "IIAC Seeks Member Firm Volunteers for Cyber Security Working Group" (November 25, 2014), online: http://iiac.ca/iiac-seeks-member-firm-volunteers-for-cyber-security-working-group/.
[14] Privacy legislation should be considered as well, such as the Personal Information Protection and Electronic Document Act (PIPEDA), which may place additional obligations on the dealer. PIPEDA was amended in June 2015 to include specific requirements on organizations to notify the Privacy Commissioner of any breach of security safeguards.
[15]IIROC issues cybersecurity report cards for dealer firms, IIROC (October 3, 2016), online: http://www.iiroc.ca/Documents/2016/8272fe2a-a1a5-4319-9b0c-7739d04ff097_en.pdf.
[16] IIROC Priorities for 2018, IIROC (June 1, 2017) at 10, online: http://www.iiroc.ca/Documents/2017/f582e091-0e07-459b-bddb-d951da44b771_en.pdf.
[17] In 2011, the Division of Corporation Finance of the SEC issued guidance on existing disclosure obligations related to cyber security risks and incidents to assist public companies in framing disclosures of cyber security issues. That guidance makes clear that material information regarding cyber security risks and cyber incidents is required to be disclosed. (October, 13, 2011). See also Report on Cybersecurity Practices, A Report from the Financial Industry Regulatory Authority (February 2015) at 3.
[18] The Comprehensive National Cybersecurity Initiative, online: https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative.
[19] 2015 Regulatory and Examination Priorities Letter, Financial Industry Regulatory Authority (January 6, 2015).
[20] Report on Cybersecurity Practices (FINRA Report), A Report from the Financial Industry Regulatory Authority (February 2015).
[21] FINRA Report, supra at 4.
[22] Office of Compliance Inspections and Examinations, Examination Priorities for 2016 (January 2016).
[23] Dealer Member Cyber-security, IIROC Notice 15-0294 (December 21, 2015), online: http://www.iiroc.ca/Documents/2015/c2bdf778-b972-45ec-9bf0-bb1fa8c83706_en.pdf.
[24] In the Manner of RT Jones Capital Equities Management Inc, Exchange Act Release No 4204, Admin Proc No 3-16827 (September 22, 2015).
[25] The SEC rules at issue are similar to those found in NI 31-103. Canadian regulatory bodies may, in the near future, follow the SEC's lead and change their focus to enforcement of the cybersecurity policy requirement. Other than regulatory action, an investment dealer could also be subject to other forms of liability, including financial penalties, reputational loss, and civil claims for negligence, statutory breach, and breach of contract. Class action lawsuits against investment dealers are also possible.
[26] See for example, FINRA Report, supra note 20 at 5.
[27] See for example, Best Practices Guide, supra note 8 at 20, 42.
[28] See for example, Best Practices Guide, supra note 8 at 8.
[29] See for example, FINRA Report, supra note 20 at 11.
[30] Best Practices Guide, supra note 8 at 12.
[31] National Exam Program Risk Alert Program, Office of Compliance Inspections and Examinations, SEC, Volume IV, Issue 8 (September 15, 2015), online: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdflert.
[32] National Exam Program Risk Alert Program, Office of Compliance Inspections and Examinations, SEC, Volume IV, Issue 8 (September 15, 2015), online: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdflert at 2-3.
[33] FINRA Report, supra note 20 at 31.
[34] FINRA Report, supra note 20 at 23. See also Best Practices Guide, supra note 8 at 32.
[35] Plaintiffs' Unopposed Motion for Preliminary Approval of Shareholder Derivative Settlement and Memorandum of Law in Support, at pp.2 and 7-8.
[36] IIROC Publishes Resources to Help Dealers Increase Cybersecurity Preparedness, News Release (December 21, 2015), online: http://www.iiroc.ca/Documents/2015/bf69013d-6525-4096-8164-ec5bdcccf5e3_en.pdf.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.