Written by Ruth E. Promislow and Katherine Rusk
Cybersecurity threats to registered firms continue to rise but efforts to protect against those threats and to plan for the inevitable attack are not keeping up.
The Canadian Securities Administrators (CSA) released a Staff Notice last week that underscores the increasing cybersecurity risks to firms and shortcomings in their efforts to prevent cyber incidents. The Staff Notice provides high level guidance for firms on issues such as policies and procedures to protect against cyber threats, employee training, regular risk assessments, incident response plans, due diligence with third party vendors, insurance and social media.
The Staff Notice reported on the results of a survey conducted in late 2016 of over a thousand registered firms with a 63% response rate. The most striking finding from the CSA was that over half of the responding firms reported that they had experienced a cybersecurity incident in 2016. The most common cyber incident was phishing at 43 percent, followed by malware at 18 percent and impersonation through fraudulent emails at 15 percent.
Phishing, malware, and impersonation through fraudulent emails are attack vectors that often use employees as a weak point to enter into a system. The CSA report highlights in particular the risks of social media sites used to launch phishing emails or containing links that result in malware installation. Proactive training of employees to identify and respond to these cybersecurity threats is one of the first steps that a company should be taking to prevent cyberattacks. However, only 56 percent of the surveyed firms have policies and procedures in place to train their employees in cybersecurity according to the CSA.
Another weak point of entry into a firm is third-party service providers. The CSA found that over 90 percent of firms have services provided by third-party vendors, but only 57 percent of them have addressed cybersecurity with them in the written agreement. The CSA suggests that firms should be limiting the access of third-party vendors to their systems and their data. Any access that is granted should be done only with safeguards and incident response plans in place.
Once an attack has occurred, only 57 percent of firms have specific policies and procedures in place to ensure the continued operation of the firm during a cybersecurity incident. Sixty-six percent of firms have an incident response plan, but a quarter of those have not tested it.
A robust incident report plan was identified as a priority by the CSA in April 2017. These should be “generally quite detailed and complete in relation to internal procedures in the event of an incident, but should also address coordination and information sharing with other stakeholders, particularly in the context of a market-wide incident.”1
When the dust has settled and the cyberattack has been dealt with, the CSA notes that only 41 percent of firms have specific cybersecurity insurance policies to call on for assistance with rebuilding. For most firms, this is a significant undertaking requiring a large amount of capital. The Ponemon Institute’s 2017 report found that on a global level, data breaches are most expensive in the United States and Canada. That’s particularly noteworthy since the same study found that the average global total cost of a data breach is $3.62 million.2
The CSA Staff Notice underscores the omnipresent risk of cyberattacks for registered firms as well as the need for (1) a plan to protect against cyber threats and (2) a plan that maps out precisely how the organization will react upon learning of a cyber incident. Legal counsel and other experts can assist with the design and implementation of these plans.