'Cybersecurity is an area that has challenged many organizations because it's not within the skill set of any one person. You need to bring together all of these different skills,' says Ira Nishisato, a partner and cybersecurity expert in Toronto at law firm Borden Ladner Gervais.atakan
Cybersecurity is top of mind for Canadian financial planners as firms adapt to evolving threats from hackers, phishers and ransomers.
While the financial services industry has long been a target, cyberattacks are growing more sophisticated and frequent. Last year, Statistics Canada reported more than one-fifth of Canadian businesses experienced a cybersecurity incident that impacted their operations.
Financial advisors are deploying a range of security measures not only to protect client data, but also to meet new national standards. Earlier this month, privacy rules designed to better safeguard Canadians’ personal information came into force, requiring businesses to report major data breaches to both affected individuals and the Privacy Commissioner of Canada or face fines of up to $100,000.
With regulations helping to drive awareness, small and large enterprises are putting plans in place to prevent major data breaches and to protect their businesses.
The Globe and Mail reached out to Canadian cybersecurity experts to discuss what firms are doing today to ensure their clients' information is not at risk.
Data security
When hackers try to breach financial service providers’ systems, they’re often looking for the crown jewels: clients’ personal information and other data-driven insights, such as investment profiles. One way firms are limiting risk is by purging unnecessary details.
“If you don’t have the data, you can’t lose it,” said Ira Nishisato, a partner and cybersecurity expert in Toronto at Borden Ladner Gervais, a law firm. “You build up information over time, but now there’s more of a focus on, ‘Do we need it?’ ”
Financial planners are also exploring cloud-storage services that offer data security through features such as end-to-end data encryption and multifactor authentication, which require two or more factors to access a system. For example, a username, password and time-sensitive code sent to a phone or other device.
Adriana Gliga-Belavic, a partner in PricewaterhouseCooper’s cybersecurity and privacy practice in Toronto, said companies may use this model to access e-mail or share documents, allowing them to store less data locally where it could be vulnerable.
“Not all organizations have the resources and skill needed for cybersecurity, and because of that, we see some businesses trying to leverage solutions in the cloud,” she said.
Even with these measures in place, Ms. Gliga-Belavic said firms are increasingly looking at a second line of defence: cyberattack insurance. The coverage protects companies against losses stemming from cyberattacks, including business interruptions, restoration expenses or third-party liability and financial losses. While the product is in its infancy, Statistics Canada reported almost 24 per cent of large businesses had cyber liability insurance in 2017 compared with 14 per cent of medium-sized businesses and 7 per cent of small businesses.
Employee awareness
When the public thinks of cyber threats, they often think of large-scale attacks by hackers in foreign places such as China or Eastern Europe. But as many firms know, employees can actually represent the biggest risk, Mr. Nishisato said.
A major security issue facing financial planners is the rise of phishing and malware attacks, such as ransomware. Phishing attacks occur when assailants try to steal data by tricking individuals into opening a message and clicking a link, which can install malware or other software that breaches corporate networks to access sensitive information. In the case of ransomware, hackers can hold data hostage, forcing companies to either pay or lose access and watch confidential information leak.
As hackers become more sophisticated, there’s also been an uptick in “spear-phishing,” where assailants do background research and target specific individuals within an organization.
“If I get an e-mail from China asking me to click on a catalogue of light bulbs, I’m not very likely to be interested in that,” Mr. Nishisato said. “But if they know you work for an electrical company and your job involves procuring light bulbs, that kind of e-mail is now relevant.”
In response to these threats, many Canadian companies now run simulation tests of phishing e-mails to see whether employees can spot them or not.
Ms. Gliga-Belavic emphasized the importance of employee awareness, training and cultural shifts within businesses.
“It’s about changing the approach from, ‘We’re not going to be breached,’ to ‘We will be breached, and if someone is knocking on our door every day, how prepared are we to respond?’ ” she said.
Cybersecurity teams
To bolster their defences, some financial planning firms are putting together multidisciplinary cybersecurity teams, made up of experts in fields such as information technology, privacy law and public relations. In 2017, 74 per cent of Canadian businesses had employees primarily responsible for cybersecurity, according to Statistics Canada.
“Even a couple of years back, not a lot of people were aware of cyber risk, now most organizations are and why they need to do something about it,” Ms. Gliga-Belavic said.
Mr. Nishisato said firms may have designated cybersecurity employees or mix internal and external support, relying, in part, on outside specialists.
“Cybersecurity is an area that has challenged many organizations because it's not within the skill set of any one person. You need to bring together all of these different skills,” Mr. Nishisato said.
Due to the high stakes of data breaches and the potential harm to businesses’ reputations, firms need the ability to react fast. He said one tool companies use are incident response plans that not only specify who is on the security team, but what the protocols are and what procedures need to be followed in the event of a data breach or threat. Mr. Nishisato said many firms engage in regular testing of those plans to make sure that the team is trained and ready to go.
“We’re getting better, but cybersecurity is a moving target with technology and the evolving nature of cyber threats,” Mr. Nishisato said. “It’s a continuing challenge.”