As we mentioned in last month’s article on business continuity plans (BCPs), the COVID-19 pandemic has brought with it heightened cyber-security risks. Now more than ever, registered firms need to maintain robust cyber-security policies and procedures, monitor employees’ compliance with them, and adapt their policies and procedures to address emerging or changing risks. Recently, financial sector regulators have published warnings and guidance for firms about how to address cyber-security risks. This article highlights several publications that we think our readers will find useful.
- IIROC Offers Practical Tips: On April 21, the Investment Industry Regulatory Organization of Canada (IIROC) published a notice with practical tips for advisory firms and their employees regarding the kinds of cyber-security risks they face while operating remotely during the COVID-19 pandemic. Among other things, it describes common, COVID-19 relate phishing and social engineering attacks that some firms are observing.
- FSB Consults on Cyber Incident Response and Recovery (CIRR): On April 20, the Financial Stability Board (FSB) published a consultation paper outlining 46 effective CIRR practices for financial institutions to consider. Although the FSB tends to focus more on systemically important financial institutions, we think that all capital markets participants will find it worthwhile to skim the consultation paper. The recommended CIRR practices relate to such topics as how firms organize and manage CIRR, how they ensure effective response, mitigation and recovery activities, how to coordinate and communicate with stakeholders, and how to establish processes to learn from past cyber incidents. In addition to requesting feedback on the specific practices described in its consultation paper, the FSB wants to know what firms are learning from their response to the COVID-19 pandemic. Comments are requested by July 20.
- Updated Baseline Controls for Small and Medium-sized Enterprises (SMEs): The Canadian Centre for Cyber Security (Centre), established by the federal government, updated its Baseline Controls for Small and Medium Organizations (Baseline Controls) earlier this year. Noting that some of national and global cyber-security standards likely are beyond the financial and human resource means of most SMEs, the Centre developed the Baseline Controls with the 80/20 rule (i.e. that 80% of the benefit can be achieved through 20% of the effort) in mind. We recommend that firms read Annex A, which summarizes the Baseline Controls.
Given the regulators’ growing concerns about pandemic-related cyber-threats, we believe that cyber-security is likely to become a focus area for securities regulators in compliance reviews. AUM Law can help you assess and enhance your cybersecurity policies and procedures and conduct training in this area for your employees. Please contact us to find out more about our services in this area.
April 30, 2020