Financial industry firms have been and will continue to be prime targets of hackers. In his latest industry letter, IIAC president and CEO Ian Russell outlines the six key elements of an effective cybersecurity plan for Canada’s investment dealer firms.
#1. Governance and risk management
- Board and CEO participation in a firm’s cybersecurity plan is a must.
- Cyber threats are far too sophisticated and serious to relegate to the firm’s IT department.
#2. Risk assessment
- The first step in cyber risk assessment is to understand what company assets you are trying to protect and why.
- The firm must assess the strength of its internal defenses or technical controls, as well as the controls of third party vendors with access to the firm’s systems.
- This means the firm must undertake due diligence of third party vendors, to ensure it covers all system entry points to reduce the ways in which cybercriminals can access a firm’s systems.
#3. Technical/process controls
- The appropriate controls will largely be determined by the nature of the firm’s business, the assets it seeks to protect, the ways in which it interacts with external systems, and, of course, the firm’s budget.
- One of the most important security controls that should be employed by all firms is the encryption of confidential information to protect data on the system, in general, and on individual computer devices.
- It also means restricting access to confidential information on a “need to know” basis.
- Also, staff must be trained to be vigilant for suspicious emails and instructed not to open them, if they arrive in their inbox.
#4. Incidence Response Plan (IRP)
- An IRP is the detailed playbook outlining the steps that must be taken in the event of a breach.
- The IRP assigns specific tasks to specific staff members and designated personnel with vendors, and sets out the sequence of tasks to be performed.
- If an IRP is not properly documented, much time will be wasted determining who should do what and when. Time is at a premium in the aftermath of a hack.
- The IRP needs to be tested intermittently to ensure it works effectively and seamlessly across the firm.
- Following an incident, the IRP also requires:
- access to technical and forensic experts;
- an understanding of the extent of losses (who has been affected and what information has been compromised);
- legal advice to ensure liability and regulatory costs are minimized;
- a communication plan tailored for appropriate messaging and timely sequencing to inform clients, regulators, law enforcement and insurers; and
- appropriate measures to put the firm on a secure footing.
#5. Information sharing
- Access to information on the techniques to bolster cyber defenses, and to understand the nature of threats to the investment industry, is valuable for the insights to help firms design and customize the appropriate cybersecurity plan to fit their needs.
- The most effective vehicle for information is internet-based information sharing platforms, typically focused on specific industries.
- One of the most popular platforms in the investment industry is the Financial Services Information Sharing and Analysis Center (FS-ISAC) platform which provides:
- real-time detailed information on recent cyber attacks and the response of the victims;
- recommendations to implement an effective cyber plan, and best practices and protocols for effective response to a cyber attack; and
- access to in-house technical expertise for hands-on guidance.
#6. Cyber insurance
- Cyber insurance is compensation available for individual firms in the event of a cyber attack.
- The decision on whether to take out insurance, or the type of insurance appropriate for the firm, is complex and must take into account cost, the breaches covered by the insurance and the risk profile of the firm.