The umbrella organisation for Canada's provincial and territorial securities regulators has drawn on the results of survey to influence its latest guidance for registered firms on the subject of measures to safeguard themselves and their clients from cyber-threats.

The regulators sent a questionnaire to more than 1,000 registered firms and 63% of them responded. The questions were structured to gather information about each firm’s policies and procedures regarding cyber-security and social media practices (including cyber-training for employees), the firm's risk assessments, any 'incidents' it may have experienced, its response plan, its scrutiny of third-party vendors, its data back-up and its monitoring of its own activities on social media. Just more than half of all firms had had an 'incident' in the previous year.

The question was asked: "does your firm conduct due diligence about the cyber-security practices of third-party vendors, consultants, or other service providers?" 68% of respondents said yes, 32% said no. Another question was "do your written agreements with the third-party vendor, or other service provider, specifically address cyber-security?" 57% said yes, 43% said no. Some firms blushingly promised to do better in future.

In response, the regulators are promoting 'guidance' to help firms offset risks relating to cyber-security and social media.

How to deal with third parties

The regulators exhort firms to evaluate, on a periodic basis, the adequacy of their cyber security practices, including safeguards against cyber-security incidents and the handling of such incidents by any third parties that have access to their systems and data. They should, indeed, limit the access of third-party vendors to their systems and data. Written agreements with these outside parties should include provisions related to cyber-threats, including a requirement by third parties to notify them of cyber security incidents resulting in unauthorised access to their networks or data and the response plans of the third parties to counter these incidents.

Firms that use cloud services ought to understand the security practices that each cloud service provider has to safeguard from cyber threats and decide whether those practices are adequate. They should have procedures in place to help them when they cannot access that data on the cloud.

Back-ups and safety measures

The regulators expect firms to back up their data and regularly test their back-up process. Also, when backing up data, they want them to ensure that the data is backed up off-site to secure servers in case of physical damage to their premises. On the subject of insurance, the regualtors only call on firms to 'consider' the possibility of additional insurance to cover cyber-security, if needed. In addition to using encryption
for all computers and other electronic devices, firms should allot passwords to all devices.

Social media guidance

Social media may be used as a vehicle to carry out cyber-attacks. Phishing emails or links on social media sites may lead to websites that install malware. The regulators say that firms should review, supervise, retain and be able to retrieve social media content. Their policies and procedures to do with social media practices should include:

• guidelines for the appropriate use of social media, including the use of social media for business purposes;
• a list of the types of content that people can put on social media;
• procedures for ensuring that social media content is current;
• recordkeeping requirements; and
• reviews and approvals of social media content, including evidence of such reviews and approvals.