The recent data breach that affected customers of Toronto-based InvestorCOM Inc. has reminded large financial services firms of the importance of cybersecurity preparation.
“It’s not about if we will have a cyberattack, it’s about when we will have a cyberattack,” said Richard Anton, chief operating officer with CIBC Mellon, speaking Tuesday on the leaders panel at the Investment Funds Institute of Canada’s (IFIC) operations day.
Once an organization accepts that reality, Anton said, it can prepare and practice its response to an inevitable hack or breach.
CIBC Mellon recently did a “tabletop exercise” where it simulated its response to a cyberattack. Anton said the exercise revealed areas the firm could improve, allowing his team to focus its efforts.
Robert Ebel, chief operating, privacy and compliance officer with Fundserv Inc., said his firm did a tabletop exercise last week and also found areas for improvement.
Preparation “is about practice,” Ebel said at the IFIC event. “We need to practice to make sure that if and when [an attack] happens, it’s not a mad scramble.”
Vendor scrutiny is another important element of cybersecurity preparation.
Organizations don’t operate in isolation, Anton said. He recommended firms invite vendors to tabletop exercises to see how they would respond in the event of a cyberattack.
“It gives you a chance to watch how that vendor prepares,” Anton said, noting that vendor due diligence can no longer be satisfied by asking them to merely sign an annual attestation.
Paige Wadden, chief compliance officer, brokerage services, with Fidelity Clearing Canada ULC, said her firm’s procurement team takes six months to bring on a new vendor, calling that team “the first line of defence.” That process allows for intense due diligence to take place not just on the vendor itself, but also on the vendor’s own suppliers.
Wadden said Fidelity recognizes there can be a “domino effect” if there’s a weakness in a vendor or a vendor’s vendor.
In January, Minnesota-based Fortra LLC discovered hackers had created unauthorized user accounts with customers of its managed file transfer service, GoAnywhere. One of those customers was InvestorCOM, a vendor of Empire Life, Mackenzie Investments and other Canadian financial services firms.