Cybersecurity – What Every Financial Professional Needs to Know
According to the Bank of Canada, cyber incidents are becoming more frequent and are posing a real threat to the financial system. Figures provided by data specialist firm Advisen show there were almost 5,000 successful cyberattacks in the global financial sector from 2014 to 2018. Cyberattacks are also increasing in sophistication and have impacted over 550 million records with known losses of more than $4 billion.
In the digital age, while inter-connectivity has made the world a little smaller, it also sets up economies and systems for exploitation by criminals. The number of devices connected to the internet is rising at an exponential rate, but with this comes a significant element of risk for data and economic disruption.
While traditionally one thinks of data breaches affecting the finance industry, the resulting impact of a well-orchestrated cyberattack could extend well beyond finance and spread to other sectors such as energy, telecommunications and travel.
To combat the rise in cybercrime, a collaborative approach is needed involving key global players including regulatory bodies. The world runs on data, and any potential threats can’t be handled in isolation. When it comes to cyberattacks, there are no walls between countries.
To minimize risk, financial professionals and companies need to be sure their cyber security practices are up to date. Care needs to be taken to ensure emails are opened only from secure providers. Passwords need to be changed regularly and encryption methods kept up to date.
According to an article in Wealth Professional Canada, 90% of all cyberattacks are the result of human error. In October 2017, the Canadian Securities Administrators (CSA) surveyed more than 1000 registered investment fund managers, portfolio managers and exempt-market dealers on their cybersecurity and social media practices. They found that 51 per cent of survey participants had already experienced a cybersecurity incident in 2016.
In addition to direct financial costs, data breaches can also do significant damage to a company’s brand and can affect both the private and public sectors. To minimize damage, the key is in prevention by establishing best practices throughout the organization. To help dealer members combat cybercrime, The Investment Industry Regulatory Organization of Canada (IIROC) has published a Best Practices Guide addressing everything from risk management to governance and awareness and training.The Mutual Fund Dealers Association (MFDA) also set up general cybersecurity guidelines with a 2018 bulletin focused on electronic communications.
From a regulatory perspective, Canadian regulators are addressing the issue at a much slower pace than their American counterparts. In the U.S., the Securities and Exchange Commission (SEC) moves quickly and aggressively against investment companies that suffer cybersecurity incidents. In 2015, the SEC charged a $75,000 (U.S.) penalty against St. Louis-based broker-dealer R.T. Jones Capital Equities Inc. after hackers stole details on 100,000 individuals from its webserver. They then fined Morgan Stanley US$1-million in 2016 after hackers stole client information.
In Canada, investment companies that don’t protect client information still face consequences and since November 1, 2018 must disclose data breaches under Canada’s Personal Information Protection and Electronic Documents Act. The government can fine companies up to $100,000 for each person affected.
While many organizations throughout the world have taken steps to combat the rise in cybercrime, more needs to be done to maintain a stable and secure global economy. The rise in sophistication of cyberattacks means that the financial sector and their external partners will have to operate one step ahead of the criminals. Collaboration and integration are key to decreasing our vulnerability and the potential devastating impact of any real or perceived threats.