Cybersécurité dans les médias
MLex (sur abonnement) – 4 juillet 2018 – UK financial cyber-resilience program may have global influence
Passages choisis
- • The Bank of England and the UK’s Financial Conduct Authority last week set out plans for domestic financiers — banks, insurers, investment firms and the like — plus market infrastructure such as payment systems, exchanges and clearinghouses.
- • UK companies will be expected to develop — and assure regulators of — their ability to bounce back and minimize disruptions from cyberattacks, computer-system shutdown, power outages or other system mishaps.
- • The regulators remain a ways off from drafting rules, but sketched out their intentions in a paper seeking public input.
Investment Executive – 2 mai 2018 – ECB publishes framework for testing resilience to cyber attacks
Passage choisi
- • TIBER-EU aims to mimic the tactics, techniques and procedures of real hackers.
Investment Executive – 5 avril 2018 – IIROC proposes mandatory reporting of cybersecurity incidents
Passages choisis
- • The proposals introduce the obligation to report cyber incidents to IIROC within three calendar days of discovering an incident and to provide a more comprehensive report on the incident within 30 days.
- • IIROC is proposing the new requirements due to the increasing frequency and sophistication of cyber attacks, the regulator says in a notice, and the fact that information sharing is essential for mitigating cyber threats.
IT World Canada – 3 avril 2018 – Canadian mandatory breach notification starts November 1, no regulations yet
Passages choisis
- • Companies covered under federal law will have to report data breaches to customers, affected third parties and the federal privacy commissioner starting November 1, the government has decided.
- • However, Ottawa still hasn’t proclaimed the regulations that firms will have to follow, which is puzzling privacy law experts.
GFMA – 3 avril 2018 – GFMA issues guidance on cybersecurity penetration testing
Passages choisis
- • GFMA has released a framework of detailed guidance to help financial institutions adequately test the resilience of cybersecurity precautions through penetration testing and to assure regulators correct procedures are observed.
- • “The goal of the GFMA proposal is not to compete with existing frameworks but rather to coordinate their development and use to ensure that financial institutions are able to safely, securely and efficiently increase their cyber resilience while complying with their supervisory requirements,” GFMA says.
Investment Executive – 7 mars 2018 – Banks need to step up cybersecurity efforts: PwC
Passages choisis
- • Cybersecurity is a top concern throughout the industry, according to PwC Canada.
- • It reports that more than half (52%) of financial industry executives see cybercrime as the biggest criminal threat facing their firms over the next 24 months, and 93% of bank and capital markets CEOs are already investing in enhanced cybersecurity.
- • Despite these high levels of awareness and action, PwC Canada says that the banks must contend with a variety of challenges including, “increasingly sophisticated adversaries, rapidly evolving technologies, and multiple regulatory requirements.”
- • These factors are prompting the need for banks to revisit their approach to security, and to “augment traditional controls with more layered and advanced controls,” it says.
IT World Canada – 1er mars 2018 – Federal budget: RCMP, CSE to get new cyber crime fighting centres
Passages choisis
- • In its budget announced Tuesday the government proposes giving the Communications Security Establishment more than $155 million over five years to create a new Canadian Centre for Cyber Security to consolidate its cyber expertise from across the federal government under one roof.
- • That includes the Canadian Cyber Incident Response Centre, the national threat sharing service.
- • More importantly, the Centre for Cyber Security will have the mandate of providing residents and businesses with a place online to turn to for cyber security information.
Investment Executive – 21 février 2018 – SEC adopts guidance on cybersecurity disclosure
Passage choisi
- • The goal is to promote clearer and more robust disclosure by companies about cybersecurity risks and incidents
Compliance Week – 21 février 2018 – Financial firms collaborate to defend against cyber-threats
Passages choisis
- • A joint cybersecurity simulation effort by the Financial Services Sector Coordinating Council, the Treasury Department and the Financial Services Information Sharing and Analysis Center has resulted in a voluntary resiliency compliance program for financial institutions.
- • The Sheltered Harbor adherence framework focuses on keeping customer account data secure in the event of a cyberattack through the use of a governance model, internal controls and an audit verification process.
Wealth Professional – 21 février 2018 – Are your employees liable for data breaches?
Passage choisi
- • A survey among over 5,000 businesses worldwide by Kaspersky Lab and B2B International showed that 52% if businesses admit that employees are “their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk.”
IT World Canada – 21 février 2018 – Cyber crime costs the world almost US$600 billion a year: Report
Passages choisis
- • Up from US $445 billion three years ago.
- • That estimate comes from the latest Economic Impact of Cybercrime report by the Washington-based Center for Strategic and International Studies and McAfee.
Canadian Underwriter – 25 janvier 2018 – Buying a cyber policy? Make sure it’s retroactive
Passages choisis
- • When it comes to cyber insurance policies in Canada, retroactivity is noticeably absent from coverage
- • Standard insurance policies do not support retroactivity, said Kevvie Fowler, partner, cyber risk with Deloitte Canada. But “if it’s a large enough policy,” insurers may be willing to insert a clause to support it.
- • Complicating the issue of retroactivity, it usually takes organizations close to 200 days to notice or detect a breach, although that number is shrinking.
- • “So people who sign up for policies basically cross their fingers and hope for 200 days that nothing has happened before the policy takes effect,” Fowler said.
Wealth Professional – 24 janvier 2018 – Why industry’s ‘silent machine’ is wary of cyber threat
Passages choisis
- • Fundserv may be the “silent machine” underpinning the mutual fund industry but it isn’t getting complacent.
- • However, with the pace of technological change continuing at breakneck speed, it remains alert to the threat of cyber attacks and has created its own cybersecurity council, bringing together members to share knowledge on how to keep transactions safe from the “barbarians at the gate”.
Financial Post (La Presse Canadienne) – 12 janvier 2018 – Financial firm outsourcing increasing risk of cyber-attacks: IIAC
Passages choisis
- • The head of the Investment Industry Association of Canada says the risk of cyberattacks is being amplified by the significant outsourcing done by investment dealers and asset managers.
- • Ian Russell told attendees at an Empire Club of Canada luncheon on Thursday in Toronto that firms’ financial integrity and cybersecurity may not be matched by third-party vendors hired to enhance efficiencies, compensate for scale and reduce costs.
- • To remedy this, he says regulators within Canada need to co-operate and co-ordinate across the financial sector, involving insurance, banking and securities firms.
Investment Executive – 13 décembre 2017 – DTCC survey ranks top risks to financial stability
Passage choisi
- • Cyber risk was named the biggest threat by 36% of respondents to DTCC’s latest systemic risk barometer survey.
Insurance Business – 10 décembre 2017 – Is cyber insurance prompting more cyberattacks?
Passages choisis
- • Writing in The Enterprise Times, researchers at WatchGuard, a security company, have expressed concern that cyber insurance risks are fuelling an increase in ransomware.
- • Cyber criminals are looking to exploit companies that actually have insurance in place – making them priority targets.
EY survey – 21 novembre 2017 – Organizations are at high risk from cyber attacks; common attack methods still successful, EY survey finds
Passages choisis
- • 56% of organizations surveyed are concerned about the increasing impact of cyber threats on their strategies and plans
- • 87% say they require up to 50% more funding to address increased cyber threats
- • Only 12% say they are likely to detect a sophisticated cyber attack
Investment Executive (La Presse Canadienne) – 17 novembre 2017 – Cyber Insecurity: the high stakes of data protection in an interconnected world
Passages choisis
- • Cyberattacks have become increasingly routine
- • When Victor Dodig checks his phone in the morning, the chief executive of CIBC dreads reading that any government or corporation, anywhere in the world, has been hacked, he told an OSC panel last month.
- • “Obviously, it would be more of a concern if our institution was, but we’re so interconnected that one weak link creates an issue for all of us.”
Conseiller.ca – 15 novembre 2017 – Cybercriminalité : les attentes de l’AMF envers l’industrie
Passage choisi
- • Dans le dernier numéro d’Info-Conformité, l’Autorité des marchés financiers (AMF) dit s’attendre à ce que les intervenants du secteur mettent en place les mesures d’atténuation du risque qui s’imposent en matière de cybersécurité.
Insurance and Investment Journal – 14 novembre 2017 – Some high-profile cyber-attacks caused by neglect, says IIAC president
Passages choisis
- • Cyber security remains a major thorn in the side of international regulators, says the president and chief executive officer of the Investment Industry Association of Canada (IIAC).
- • Presentations made at the [recent IOSCO] meeting indicated that most high profile cyber-attacks, such as the Equifax breach, “can be traced, not to sophisticated techniques, but to neglect implementing basic elements of protection: too open-ended access to administrative controls over the technology systems and failure to place effective ‘patches’ specifically on identified areas of the software system.”
CNBC – 9 novembre 2017 – SIFMA’s Quantum Dawn IV drill gauges resilience against major cyberattack
Passages choisis
- • SIFMA conducted its Quantum Dawn IV drill this week. “A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing.
- • No single actor — not the federal government, nor any individual firm — has the resources to protect markets from cyber threats on their own,” said SIFMA President and CEO Kenneth E. Bentsen.
SIFMA – 2 novembre 2017 – SIFMA Testifies on Cybersecurity Priorities
Passage choisi
- • SIFMA’s testimony notes that there is likely no greater threat to financial stability than a large-scale cyber event, so SIFMA and its member firms are deeply committed to improving our sector’s cybersecurity resiliency and working with government partners to protect the broader economy.
Investment Executive – 28 septembre 2017 – Cyber insurance brings opportunities, challenges for insurers
Passage choisi
- • Growth is being driven by increasing risk and awareness of cyber attacks
Investment Executive – 26 septembre 2017 – SEC moves to combat cyber threats, protect retail investors
Passages choisis
- • A dedicated new Cyber Unit, launched by the SEC’s enforcement division “will focus on targeting cyber-related misconduct.”
- • At the same time, the regulator is setting up a Retail Strategy Task Force to address issues that primarily impact retail investors.
- • The task force will develop “targeted initiatives to identify misconduct impacting retail investors,” ranging from unsuitable product sales to microcap pump-and-dump schemes.
Investment Executive – 7 septembre 2017 – Greater efforts to fight cyber attacks needed, industry institute says
Passages choisis
- • Among other things, the Institute of International Finance (IIF) calls for greater collaboration between the industry and regulators on effective cybersecurity practices.
- • It also advocates removing impediments to sharing information across the financial system.
Reuters – 5 septembre 2017 – SEC chief says cyber crime risks are substantial, systemic
Passages choisis
- • SEC’s Clayton: Investors don’t fully grasp cybercrime threat
- • Regulators must work harder to help individual investors appreciate the risks presented by new technologies that cybercriminals use to commit fraud, said SEC Chairman Jay Clayton.
- • He said he plans to give cybersecurity a high priority in the SEC’s enforcement actions.
Investment Executive – 31 juillet 2017 – New York boosts cybersecurity
Passage choisi
- • State regulator launches online portal for financial firms to report possible breaches
Investment Executive – 17 juillet 2017 – IIAC aims to help investment dealers gauge cybersecurity risks
Passages choisis
- • The association has created a survey that investment dealers could use to gauge the risks that third-party service providers present
- •Industry regulators have flagged due diligence by industry vendors as a key component of the industry’s cyber defences, the IIAC notes.
The Globe and Mail – 11 juillet 2017 – Editorial: The new cyber-threats, and how to stop them
Passages choisis
- • High-level breaches are already happening more often, and at higher cost, than most people realize.
- • A recent study by the Ponemon Institute on the costs of data leaks found the average breach in Canada, defined as the loss, theft or exposure of financial or medical information, cost $5.8-million to fix, investigate and mitigate.
- • The institute looked at 27 major companies, which lost an average 21,000 records per occurrence.
- • The cost figure is actually down slightly from last year, but that’s not the report’s most interesting finding. Roughly half the breaches were due to software glitches or human error; the cyber equivalent of a business damaging its own merchandise. The other half were the result of criminal or malicious activity – the electronic equivalent of a break and enter.
Reuters – 8 juin 2017 – New SEC enforcement chiefs see cyber crime as biggest market threat
Passages choisis
- • The SEC has appointed two enforcement chiefs, Stephanie Avakian and Steven Peikin.
- • In a joint interview, the pair said that cybercrime poses the greatest threat to the industry and that they intend to take particular action to curb it.
Investment News – 17 mai 2017 – SEC alerts advisers on WannaCry ransomware cyberattacks
Passage choisi
- • The SEC has issued a cybersecurity alert emphasizing that broker-dealers and other financial-services professionals should conduct regular vulnerability scans and penetration tests of critical computer systems.
New York Times – 17 mai 2017 – With Ransomware, It’s Pay and Embolden Perpetrators, or Lose Precious Data
Passage choisi
- • Thousands affected by the global digital attack must decide whether to fork out money to gain control of their computers or face losing their data forever.
Reuters – 17 mai 2017 – China’s banking regulator to step up protection after cyber attack
Passage choisi
- • The China Banking Regulatory Commission says it will increase data security after a global cyberattack over the weekend, promising tougher new legislation, reviewing its own procedures and urging banks to conduct assessments, early warning and prevention for such events. The attack affected an estimated 30,000 entities in China, although the CBRC said no banks were infected.
Investment Executive – 8 mai 2017 – The cybersecurity challenge – a three-part series
Passages choisis
- • Keeping current on cybersecurity threats – Understanding the digital perils is the first step in protecting your practice
- • Lessons learned from recent cyber attacks These examples reveal some of the tactics that hackers use and the steep costs they can have for firms
- • You’ve been hacked. Now what? How to deal with digital breaches before and after they happen
Investment Executive – 6 avril 2017 – Compliance • CSA recommends greater co-operation on cybersecurity
Passage choisi
- • The investment industry’s informal approach to information sharing and communication works well, but improvements are needed, CSA report finds.
The Globe and Mail – March 28, 2017 – Companies need to plan for handling a cybersecurity breach
Passage choisi
- • [W]hile it’s true that Canadian companies are increasingly preparing for the financial, legal and technical implications of a breach, many continue to overlook developing a communications strategy, which is critical in the early hours and days of a breach when it comes to protecting reputation over the short and long term.
- • Treasury Secretary Steven Mnuchin said that because the safety of the financial system is critical, he has made cybersecurity his top technology priority.
- • He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.
- • Treasury Secretary Steven Mnuchin said that because the safety of the financial system is critical, he has made cybersecurity his top technology priority.
- • He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.
- • One of the biggest bank robberies of all time has shown what could be the next front in cyberwarfare.
- • The United States attorney’s office in Los Angeles is said to be examining the extent to which the North Korean government aided and abetted a heist in which $81 million was stolen from the central bank of Bangladesh in February 2016.
- • Federal prosecutors are building cases that would target Chinese middlemen who prosecutors believe helped North Korea orchestrate the theft, according to The Wall Street Journal, which earlier reported the potential charges.
- • In an effort to gain access to inside information, cybercriminals are posing as SEC officials in emails to corporate executives, lawyers, compliance officers and others who have roles in submitting documents to the SEC.
- • FireEye, the security firm that spotted the practice, said the online scammers are probably part of an Eastern European criminal organization that profits by basing trading on inside information.
- • Regulated financial institutions must ensure that all third-party companies with which they do business demonstrate a minimum level of cyber security and report any breaches that impact their data.
- • “What this means for small to medium sized Canadian businesses is, you may not see yourself as a risk, but the Big Five [banks] that you do business with are going to start seeing you as one. So you’re going to need to demonstrate your cyber readiness,” says Katherine Thompson, Cyber Council Chair at the Canadian Advanced Technology Alliance.
- • In an effort to gain access to inside information, cybercriminals are posing as SEC officials in emails to corporate executives, lawyers, compliance officers and others who have roles in submitting documents to the SEC.
- • FireEye, the security firm that spotted the practice, said the online scammers are probably part of an Eastern European criminal organization that profits by basing trading on inside information.
- • CyberNB, a wing of the New Brunswick government aiming to make the province a cyber security hub, has quietly announced it is adopting for use in this country the U.K. Cyber Essentials program certifying small and mid-sized companies have met certain minimum security standards.
- • In addition to being brand for competitive advantage, the program should also be a spur to SMBs to improve their IT security.
- • CyberNB hopes to officially launch the program in several provinces in April.
- • Governments or regulators are getting so sensitive about cyber security they may demand publicly-traded companies to undergo annual cyber audits as well as financial audits, says a former U.S. Homeland Security secretary who is now a consultant on risk management.
- • Tom Ridge made the prediction to a Canadian audience at the third annual International Cyber Risk Management Conference in Toronto, where he also repeatedly asserted that to fight cyber attacks the public and private sectors have to build resilient organizations.
- • Scott Jones, assistant deputy minister of the Canadian Communications Security Establishment – which is responsible for securing federal government networks — said Thursday at the third International Cyber Risk Management Conference in Toronto.
- • He said the public and private sectors are going to have to work better together on cyber defence, but also wondered if governments need carrots or sticks to get operators of critical infrastructure to improve their cyber security.
- • Betterment, a U.S. robo-advisor, was on an unofficial list of affected sites compiled on Github.
- • Betterment stressed that it “is confident that customer account information is safe. Additionally, Cloudflare performed its own internal review and determined that Betterment’s data was not included in the information exposed by the vulnerability.”
- • Hong Kong’s securities regulator said brokers in the city had suffered cyber attacks and warned of possible further incidents across the industry.
- • In a circular to licensed firms late on Thursday, the Securities and Futures Commission (SFC) said it had been informed by the Hong Kong police that brokers had encountered so-called “distributed denial of service” (DDoS) attacks targeting their websites and received blackmails from criminals.
- • Financial-services providers operating in New York will face new cybersecurity regulations, which include having a designated chief information security officer, starting March 1.
- • “New York is creating a standard that will probably be a catalyst for a national change,” said John Cunningham of Docupace Technologies.
- • 3. Cybersecurity.
- • Despite the average hack leading to the loss of just less than two million files, according to risk management and advisory firm Willis Towers Watson, there is lots of talk but little action.
- • In its latest Cyber Claims Brief, Willis Towers Watson suggests companies implement a comprehensive information security plan that includes “a cyber-risk assessment, external penetration testing (sometimes called ethical hacking, in which external cyber defenses are tested), as well as an internal evaluation.”
- • A good start would be fairly low-tech and inexpensive.
- • “If I were a medium-sized employer, I would buy every single person on my payroll a password manager,” says Barry Sharp, chief executive officer of AMA Management Ltd. in Vancouver.
- • Small businesses often think that they’re not big enough for hackers to bother with, but that’s not the case.
- • Here are the parts of the business most at risk
- • Mobile devices, Internet of Things, Passwords, E-Commerce, Employees
- • “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.
- • The Department of Financial Services responded by easing some timelines and requirements, including standards for encrypting data and authenticating access to networks.
- • The new draft also gives firms more time to comply with the rules, expanding the transition period from six months to as much as two years.
- • The agency said it would finalize the rules after a 30-day public comment period.
- • Small businesses often think that they’re not big enough for hackers to bother with, but that’s not the case.
- • Here are the parts of the business most at risk:
- > Mobile devices
- > Internet of Things
- > Passwords
- > E-Commerce
- > Employees
- • “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.
- • The Department of Financial Services responded by easing some timelines and requirements, including standards for encrypting data and authenticating access to networks.
- • The new draft also gives firms more time to comply with the rules, expanding the transition period from six months to as much as two years.
- • The agency said it would finalize the rules after a 30-day public comment period.
- • Small businesses often think that they’re not big enough for hackers to bother with, but that’s not the case.
- • Here are the parts of the business most at risk:
- > Mobile devices
- > Internet of Things
- > Passwords
- > E-Commerce
- > Employees
- • SIFMA and other finance-industry groups are voicing concerns over New York state’s proposed rules outlining cybersecurity measures for protecting confidential client data.
- • The plan is likely to impose “inflexible, one-size fits all requirements” within an “unworkable” timeline, the groups say in public comments.
- • FS-ISAC, in collaboration with various industry groups, including SIFMA, has pioneered the Sheltered Harbor plan through which banks will keep a secure backup of client data in an industry standardized format to allow recovery after a cybersecurity or natural disaster.
- • “The data is encrypted, it’s immutable, it’s in storage, should another firm need to have access to it,” said Tom Wagner, SIFMA’s managing director of financial services operations.
- • Rules being drafted by the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. governing cybersecurity in the banking industry could eventually be a model for regulations governing the money management industry, industry participants say.
- • “It’s possible that the [SEC] or [CFTC] could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards,” says Charles Horn, partner at Morgan, Lewis & Bockius.
- • The plan, dubbed “Sheltered Harbor,” is intended to ensure depositors and investors that their accounts will be secure after a cyberattack.
- • Financial institutions will store data that’s needed to recover an account in an industry-standard format so that client information can be restored at another location if the primary institution suffers an attack. The standards will go into effect in 2017.
- • The new standard for data storage reflects the industry’s response to a series of cybersecurity exercises in the past few years, often with the cooperation of federal agencies including the Treasury Department and Department of Homeland Security.
- • The discussion will focus on examining cybersecurity in the securities industry and possible approaches to dealing with cyberattacks.
- • Link to CSA Staff Notice 11-332 Cyber Security: https://www.osc.gov.on.ca/documents/en/Securities-Category1/sn_20160927_11-332-cyber-security.pdf
- • Another challenge is lack of in-house expertise, says Susan Copland, managing director with the Investment Industry Association of Canada (IIAC) in Vancouver: “Not all members have in-house expertise to deal with this. [The challenge is in] finding outsourced resources to help them comply, because [cybersecurity] can get technically complex.”
- • Sharing information can help here, she adds. Sharing experiences of security incidents and best practices can help investment firms learn from others in their community.
- • Information-sharing efforts haven’t gained the traction they need among Canada’s investment firms, adds Copland, who points to the Financial Services Information Sharing and Analysis Center, a U.S.-based information- sharing group for the financial services sector that numbers Canada-based companies among its members, as a popular resource for Canadian investment companies.
- • Regarding IIROC members’ self-assessments, Copland says, there is room for improvement, especially among smaller firms. Ensuring the security of third-party services vendors can be difficult, especially when those vendors are linked to an investment firm’s systems, she says.
- • The IIAC and IIROC are creating a working group to address that issue, she adds.
- • Ontario has been the main driver, and the province has the potential to further strengthen its cybersecurity dominance, which would benefit the financial services sector as well
- • “Canada’s financial services sector has an international reputation for stability, safety and growth. And, it is headquartered right here in the Toronto-Waterloo innovation corridor, among one of the largest technology hubs in North America,” she adds. “This presents a huge opportunity to build capacity to support the financial services sector and to generate economic growth.”
- • Le Financial Services Information Sharing and Analysis Center (FS-ISAC), l’Association canadienne du commerce des valeurs mobilières (ACCVM) et la Securities Industry Financial Markets Association (SIFMA) collaboreront à la publication d’un bulletin mensuel sur la cybersécurité et les nouvelles cybermenaces contre le secteur nord-américain des valeurs mobilières.
- • Plus d’informations ici.
- • The Group of Seven has adopted guidelines to protect the financial sector from cyberattacks.
- • Nonbinding agreement establishes common strategies to fortify online infrastructure.
- • “SIFMA commends the initiative taken by the G7 to improve global coordination and consistency in the fundamental elements governing cybersecurity in the financial sector,” says Tom Price, SIFMA’s managing director of operations.
- • The CSA has published Staff Notice 11-332 Cyber Security to promote cyber-security awareness, preparedness and resilience in Canadian capital markets.
- • We have identified cyber security as a priority in the CSA 2016-2019 Business Plan,” said Louis Morisset, Chair of the CSA and President and CEO of the AMF. “It is crucial for us to improve collaboration and communication on cyber-security issues with market participants. We want to ensure they are aware of the challenges, have a sufficient level of preparedness, and are as resilient as possible against cyber risks.”
- • CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months. CSA expects to publish findings and recommendations from those reviews.
- • The head of the Investment Industry Association of Canada raised the alarm about cyber crime last year, acknowledging that many Bay Street firms weren’t as prepared as they should be.
- • “Our focus, really, is making sure our small and medium sized (dealers) are secure,” says Susan Copland, managing director of the IIAC. “Because a breach at one firm affects everybody, not just through reputation but through the interconnections of the system.”
- • The federal government has started a three-month public consultation on updating its cyber security strategy, asking security pros and citizens for input on how it should not only strengthen the national IT systems and critical infrastructure in the private sector but also help businesses and residents.
- • Public Services Minister Ralph Goodale said Tuesday the consultation, which ends Oct. 15, will help identify gaps and opportunities, bring forward new ideas to shape Canada’s renewed approach to cyber security and capitalize on the advantages of new technology and the digital economy.
- • 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.
- • Ponemon’s 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.
- • The Cyber Security Market – Global Forecast to 2021 report from the Dublin, Ireland-based global market research store reveals that the cybersecurity market is growing rapidly because of the increase in adoption of cybersecurity solutions, “due to the increase in security breaches targeting enterprises.”
- • Le système financier mondial risque d’être à nouveau pris pour cible par des cyberpirates au cours des prochains mois, rapporte l’Agence France-Presse.
- • At a roundtable discussion on Capitol Hill, Members of Congress gathered with financial industry experts from Goldman Sachs, Morgan Stanley and Wunderlich Securities to discuss the state of the cybersecurity industry today and the role of America’s capital markets in funding cybersecurity initiatives.
- • “Virtually all acquirers must implement a rigorous diligence process when considering M&A targets,” says the report by West Monroe Partners, a U.S.-based business and technology consulting firm. “The nature of cyber threats is also changing constantly, requiring a nimble approach to due diligence.”
- • How big an issue is it? According to a survey of 30 senior executives at corporate and private equity firms that frequently conduct M&A transactions 80 per cent said cybersecurity issues are highly important in doing due diligence on potential deals.
- • The other 20 per cent who said they are somewhat important.
- • There are forces at play now that aren’t satisfied with just stealing your money, they want to destroy your entity
- • A survey of 2,200 companies across 18 countries has found that Canadian companies are among the least equipped to deal with cyber threats.
- • The study ranks 18 countries based on the per cent of businesses that are adopters of effective modern cyber security procedures and technology. On a list of 18 countries Canada was number 15, ahead of only the Netherlands, Japan and the United Arab Emirates.
- • FFIEC urges financial institutions to safeguard interbank messaging and payment networks
- • Christopher Hetner will be responsible for co-ordinating efforts across the agency
- • What can advisors do to protect themselves against an online attack?
- • Susan Copland, managing director at the Investment Industry Association of Canada, has some other pointers, including creating strong passwords for all devices and updating them regularly.
- • ‘Strong’ in this context means words that aren’t found in the dictionary, and which include numbers, capital letters, and symbols.
- • Other measures include ensuring that antivirus software on devices is up-to-date and signing out of programs when they’re not in use.
- • A little scepticism goes a long way too, Copland points out; avoiding suspicious emails and attachments can prevent problems arising in the first place.
- • Dealers should also follow the training and protocols put in place by their firms to protect confidential information, she adds.
- • Cyberthreats are becoming more devious, and they present a key risk to both your business and your clients. Here’s what advisors need to know
- • Security-software providers are in a constant cat-and-mouse game with ransomware makers who can find ways to penetrate even well-guarded systems.
- • The following is an account of a real attack that happened in February of this year, as described by Chris Whidden, a security engineer based out of New York who works for Canadian security consultancy eSentire Inc.
- • Ransomware is malicious software (malware) installed on your device or system, including smartphones and tablets, that encrypts the hard drive or specific files then demands a ransom be paid before the device or information is decrypted. Importantly, hackers may access your data during the course of an attack.
- • The severity of the attack and the safeguards you have in place will impact your response. Generally, the following actions are recommended:
- 1. Disconnect the affected device or system from the rest of the network and from the internet.
- 2. Run anti-malware scans in an attempt to identify and remove the ransomware, if possible.
- 3. If you are able to restore your files or system from backup, you do not need to submit to a ransom demand.
- 4. Review the response plan and update, as appropriate.
- 5. Further education on preventive measures.
- • If a breach of personal information has occurred:
- 1. Private sector organizations must consider if the intrusion presents a real risk of significant harm. If it does, under the Personal Information Protection Act, private sector organizations in Alberta must report the breach to the OIPC and may be required to notify affected individuals.
- 2. Public bodies and health custodians are not required to report such incidents to the OIPC but are encouraged to contact the OIPC for advice and consider notifying affected individuals.
- 1. Increase in extortion-driven and ransomware incidents.
- 2. Mandatory breach notification.
- 3. Increased risk with use of mobile devices.
- 4. Greater use of real-time intelligence tools to monitor live attacks.
- 5. Greater focus on risks posed by third-party vendors and suppliers.
- • Financial regulators, struggling to keep up with the onslaught of new threats to the public’s sensitive financial and personal data, have spent the last few years examining corporate cybersecurity practices, policies, and procedures and communicating their expectations to executives.
- • This year, expect regulators to hold companies accountable for their cybersecurity failings.
- • Un groupe de professionnels canadiens en sécurité de l’information ont déclaré que le nombre de cyberattaques auxquelles ont fait face les organisations en 2015 a augmenté de 17 % par rapport à l’année précédente, selon un nouveau sondage, et un peu plus de la moitié d’entre eux ont reconnu que des informations sensibles avaient été volées ou consultées.
- • Le sondage, réalisé par la société Scalar Decisions inc., une intégratrice de systèmes dont le siège social est à Toronto, a été mené auprès de 654 professionnels en technologie de l’information et spécialistes de la sécurité informatique qui travaillent au Canada dans une grande variété de secteurs.
- • Dans l’édition annuelle de sa Lettre sur les priorités en matière de réglementation et d’examen publiée le 5 janvier, la FINRA a déclaré que la cybersécurité est une question de gestion technologique dont doivent s’occuper prioritairement la supervision, les contrôles et la gestion des risques.
- • La lettre souligne : « La FINRA examinera la gestion des cyberrisques par les sociétés sous un ou plusieurs des angles suivants selon le type d’activités commerciales et le profil de risque de la société : la gouvernance, l’évaluation des risques, les contrôles techniques, la réponse à un cyberincident, la gestion des vendeurs, la prévention de la perte de données et la formation du personnel ».
- • Dans son avis sur la liste des priorités en matière d’examen pour 2016, la cybersécurité figure en tête des priorités de la SEC parce qu’au moins 74 % des conseillers ont été la cible d’une cyberattaque, selon un examen récent mené par la SEC.
- • Selon un sondage mené par la société EY, il y a encore plus du tiers (36 %) des organisations qui ne croient pas être capables de détecter une cyberattaque sophistiquée.
- • Ce chiffre est inférieur à celui de l’an passé (56 %), mais c’est toujours préoccupant, car les cyberattaques sont de plus en plus sophistiquées.
- • Les consommateurs demandent de plus en plus aux sociétés avec lesquelles ils font affaire de mieux les protéger. Le cryptage de votre site Web est un bon début.
- • Les consommateurs le veulent. Et plus important encore, Google le veut aussi.
- • La société Google a annoncé que son moteur de recherche tiendra compte de la sécurité des sites Web. En d’autres mots, les sites dont l’adresse commence par HTTPS auront de meilleurs résultats lors d’une recherche sur Google. « C’est un très léger avertissement, cependant il se peut qu’avec le temps nous décidions d’être plus sévères », a déclaré la société.
- • Un rapport de PwC décrit comment des employés peuvent être victimes à leur insu de divers types de cyberattaque.
- • L’OCRCVM a publié lundi deux documents pour aider les sociétés de courtage en valeurs mobilières et leurs clients à faire face aux cybermenaces et à résister aux cyberattaques.
- • L’article contient des liens vers des ressources.
- • Donner l’exemple : l’Association canadienne du commerce des valeurs mobilières aide les sociétés membres à faire face aux cybermenaces mondiales.
- • « Les cyberattaques sont beaucoup trop sophistiquées et dangereuses pour en confier la prévention seulement au service des technologies de l’information de l’entreprise », a déclaré mardi Ian Russell, chef de la direction de l’Association canadienne du commerce des valeurs mobilières, dans une lettre aux membres.
- • Interview sur la chaîne BNN d’Ian Russell, président et chef de la direction de l’Association canadienne du commerce des valeurs mobilières, sur ce qu’il appelle les six éléments indispensables d’un programme de cybersécurité de premier plan.
- • Les sociétés du secteur financier étaient et continueront d’être des cibles privilégiées pour les pirates informatiques. Dans sa dernière lettre sur le secteur, Ian Russell, président et chef de la direction de l’ACCVM, expose les six éléments indispensables d’un programme efficace de cybersécurité pour les sociétés de courtage canadiennes en valeurs mobilières.
- • Les sociétés canadiennes de services financiers et de services-conseils devraient adopter des programmes pour protéger leurs activités contre les cyberattaques, selon Ian Russell, président et chef de la direction de l’Association canadienne du commerce des valeurs mobilières dont le siège social est à Toronto.
- • « Il est impossible que votre société puisse résister à toutes les cyberattaques. Cependant, vous pouvez instaurer des systèmes dans votre organisation pour repousser la plupart des cyberattaques. Par ailleurs, même si une cyberattaque n’est pas repoussée, vous pouvez vous en occuper rapidement et de façon efficiente avant qu’elle ne cause des dommages importants », a déclaré M. Russell lors son exposé présenté durant l’édition 2015 de la Conférence pour les conseillers d’élite tenue à Puerto Vallarta [le 9 novembre].
- • Cliquez sur l’article pour connaître les éléments indispensables d’un programme de cybersécurité efficace.
- • Quatre-vingt-trois pour cent des personnes interrogées durant une conférence [tenue par l’Institut mondial de gestion des risques] à Toronto ont déclaré que les institutions financières canadiennes sont exposées au risque de déstabilisation technologique.
- • « Ils nous disent clairement que la cybersécurité [et] la déstabilisation technologique sont ce qu’il y a de plus important pour eux », a déclaré Richard Nesbitt, chef de la direction de l’Institut mondial de gestion des risques.
- • Il a ajouté « qu’on s’inquiète beaucoup des failles de cybersécurité – donc du piratage informatique – parce que c’est un risque incontrôlable ».
- • Les cyberattaques contre les institutions financières pour extorquer de l’argent en retour de la non-publication d’informations sensibles sont à la hausse, met en garde le Federal Financial Institutions Examination Council. « Les institutions financières devraient s’occuper de cette menace en organisant régulièrement des évaluations du risque en matière de cybersécurité et en surveillant les systèmes de contrôle et d’information », a déclaré cette institution. « De plus, les institutions financières devraient mettre en place un programme efficace de reprise des activités pour répondre à ce type de cyberattaque afin de garantir la robustesse de l’exploitation ».
- • Le programme de cybersécurité commencera à fonctionner l’année prochaine, alors que les organisations astucieuses commenceront à utiliser des identifiants qui sont difficiles à reproduire, contrefaire, voler ou deviner comme les empreintes digitales, les rétines, la posture, la démarche et même la façon de se servir d’un clavier d’ordinateur.
- • « Si leurs données n’ont pas encore été piratées, elles le seront. Je crois que toutes les organisations admettront aujourd’hui que c’est seulement une question de temps », a déclaré lors d’un récent interview Ali Solehdin, un directeur principal de produits chez Absolute Software Corp. à Vancouver, Colombie-Britannique. « Les pirates informatiques passent beaucoup de temps à se renseigner sur les failles et à les chercher. Dans plusieurs cas, ils en savent plus sur l’infrastructure informatique de l’organisation que l’organisation elle-même ».
- • Comme les failles deviennent plus fréquentes, M. Solehdin croit que la cybersécurité doit être axée sur le dépistage plutôt que sur la défense.
- • Une société [américaine] de services-conseils en valeurs mobilières a accepté de payer 75 000 $ pour régler la plainte de la SEC qui lui reprochait de ne pas avoir mis en place un programme de cybersécurité avant qu’une faille informatique ait compromis les renseignements personnels de 100 000 personnes, incluant les dossiers de certains des clients de la société.
- • « Je ne veux pas que vous soyez paranoïaque – mais, vous devriez peut-être l’être », a-t-il déclaré à la foule venue assister à une conférence sur la cybersécurité qui a eu lieu jeudi à Toronto.
- • M. Calce a clairement fait savoir durant son exposé présenté lors de la conférence tenue par l’Association canadienne du commerce des valeurs mobilières qu’il pouvait aussi fournir des conseils pratiques moyennant rétribution.
National Law Review – 24 mars 2017 – Mnuchin makes cybersecurity top tech priority
Passages choisis
National Law Review – 24 mars 2017 – Mnuchin makes cybersecurity top tech priority
Passages choisis
New York Times – 23 mars 2017 – The Next Front in Cyberwarfare
Passages choisis
Fortune.com – 7 mars 2017 – Cybercriminals impersonate SEC to get inside information
Passages choisis
Financial Post – 8 mars 2017 – New York’s new financial cyber security laws have Canadian experts taking note
Passages choisis
Fortune.com – 7 mars 2017 – Cybercriminals impersonate SEC to get inside information
Passages choisis
IT World Canada – 7 mars 2017 – Cyber security certification program for Canadian SMBs to launch soon
Passages choisis
IT World Canada – 2 mars 2017 – Mandatory cyber audits coming for publicly-traded companies, Canadian audience told
Passages choisis
IT World Canada – 2 mars 2017 – Canada under-invests in IT, senior bureaucrat tells cyber security conference
Passages choisis
Advisor.ca – 28 février 2017 – Major data breach touches U.S. robo, but risk ‘extremely low’
Passages choisis
Reuters – 26 janvier 2017 – Hong Kong securities brokers hit by cyber attacks, may face more: regulator
Passages choisis
Investment News – 17 janvier 2017 – N.Y.’s cybersecurity rules take effect March 1
Passages choisis
The Globe and Mail (sur abonnement) – 29 décembre 2016 – Top five worries of mid-sized companies for 2017
Passages choisis
Canadian Business – 21 décembre 2016 – Cyber-security gaps that small businesses need to to watch out for
Passages choisis
Financial Post (Reuters article) – 28 décembre 2016 – New York financial regulator eases proposed cyber rules after industry complaints, delays launch
Passages choisis
Canadian Business – 22 décembre 2016 – Cyber-security gaps that small businesses need to to watch out for
Passages choisis
Financial Post (Reuters) – 28 décembre 2016 – New York financial regulator eases proposed cyber rules after industry complaints, delays launch
Passages choisis
Canadian Business – 22 décembre 2016 – Cyber-security gaps that small businesses need to to watch out for
Passages choisis
New York Law Journal (sur abonnement) – 30 novembre 2016 – Financial Industry Groups Slam NY State’s Proposed Cybersecurity Rules
Passages choisis
American Banker – 29 novembre 2016 – A Customer Data Bunker that Could Survive Catastrophe
Passages choisis
Pensions & Investments Monitor – 28 novembre 2016 – Managers might see cybersecurity regulations soon; Upcoming bank rules could serve as a model for money management firms
Passages choisis
Wall Street Journal (sur abonnement) – 22 novembre 2016 – Trade Groups Adopt Plan to Better Shield Depositors, Investors From Cyberattacks; Plan to fortify cybersecurity defenses by standardizing data storage for retail accounts
Passages choisis
Investment Executive – 17 novembre 2016 – CSA to host cybersecurity roundtable in early 2017
Passages choisis
Investment Executive – 15 novembre 2016 – Firms struggle with cybersecurity
Passages choisis
Investment Executive – 19 octobre 2016 – Canada is world’s fourth-largest cybersecurity hub, report finds
Passages choisis
Conseiller.ca – 14 octobre 2016 – Une nouvelle infolettre mensuelle sur la cybersécurité
Passages choisis
Wall Street Journal (sur abonnement) – 11 octobre 2016 – Group of Seven Economies Reach Deal to Bolster Financial Cybersecurity
Passages choisis
Advisor.ca – 28 septembre 2016 – CSA pushes for online security improvements
Passages choisis
Financial Post – 10 septembre 2016 – ‘They’re not safe’: Smaller firms, financial institutions becoming more vulnerable to cyber attacks
Passages choisis
IT World Canada – 16 août 2016 – Ottawa announces public consultation on cyber security strategy
Passages choisis
The Globe and Mail – 10 août 2016 – Ten tips to keep your workplace data secure
Passages choisis
Canadian Underwriter – 10 août 2016 – Global cybersecurity market to grow from US$122.45 billion to US$202.36 billion by 2021: report
Passage choisi
Conseiller.ca – 27 juillet 2016 – The Cybersecurity Industry Today: A Conversation with Congress and the Financial Services Industry
Passage choisi
SIFMA – 26 juillet 2016 – The Cybersecurity Industry Today: A Conversation with Congress and the Financial Services Industry
Passage choisi
IT World Canada – 14 juillet 2016 – Ransomware in real time: How hackers infiltrate secured systems
Passages choisis
Business in Vancouver – 4 juillet 2016 – Canadian companies are woefully behind when it comes to cyber security
Passages choisis
Investment Executive – 9 juin 2016 – U.S. authorities issue cybersecurity bulletin
Passage choisi
Investment Executive – 3 juin 2016 – SEC appoints cybersecurity senior advisor
Passage choisi
Investment Executive – 27 mai 2016 – Minimizing the cybersecurity threat
Passages choisis
Investment Executive – 25 mai 2016 – The growing threat of cyberattacks
Passage choisi
The Globe and Mail – 20 mai 2016 – Ransomware in real time: How hackers infiltrate secured systems
Passages choisis
Office of the Information and Privacy Commissioner of Alberta – 23 mars 2016 – Advisory for Ransomware
Passages choisis
Advisor.ca – 1er mars 2016 – 5 cyber security trends affecting businesses
Passages choisis
CFO.com – 24 février 2016 – Financial Regulators Have Cyber on Their Minds
Passages choisis
IT World Canada – 9 février 2016 – La moitié des cyberattaques contre les sociétés canadiennes ne sont pas repoussées, suggère un sondage (en anglais)
Passages choisis
CNBC – 2 février 2016 – Votre gestionnaire de patrimoine sera-t-il la cible d’une cyberattaque? (en anglais)
Passages choisis
Advisor.ca – 26 janvier 2016 – Le tiers des sociétés ne peuvent pas détecter une cyberattaque (en anglais)
Passages choisis
Canadian Business – 25 janvier 2015 – Voici pourquoi vous devriez commencer à crypter tout votre site Web (en anglais)
Passages choisis
Investment Executive – 13 janvier 2016 – Les employés sont la principale cause des failles en matière de cybersécurité (en anglais)
Passages choisis
Investment Executive – 21 décembre 2015 – Les orientations de l’OCRCVM aident les sociétés de courtage à renforcer leur programme de cybersécurité (en anglais)
Passages choisis
Canadian HedgeWatch – 5 décembre 2015 – Les sociétés de courtage canadiennes en valeurs mobilières sont vivement encouragées à adopter un programme détaillé pour faire face aux cyberattaques (en anglais)
Passage choisi
National Post – 25 novembre 2015 – Les sociétés de courtage canadiennes en valeurs mobilières priées de mettre au point des plans détaillés pour se protéger des cyberattaques (en anglais)
Passage choisi
BNN – 24 novembre 2015 – Ian Russell, président et chef de la direction de l’ACCVM, expose les six éléments indispensables d’un programme efficace de cybersécurité (en anglais)
Passage choisi
Advisor.ca – 24 novembre 2015 – Comment se protéger des pirates informatiques? (en anglais)
Passage choisi
investmentexecutive.com – 10 novembre 2015 – Voici comment résister aux cyberattaques : le chef de l’ACCVM, Ian Russell, expose les éléments indispensables d’un programme efficace de cybersécurité (en anglais)
Passages choisis
Financial Post – 10 novembre 2015 – Les banquiers déclarent que la cybersécurité et la déstabilisation causée par les nouvelles technologies sont les nouveaux risques prioritaires (en anglais)
Passages choisis
investmentexecutive.com – 4 novembre 2015 – Les tentatives de cyberextorsion contre les sociétés financières sont à la hausse (en anglais)
Passages choisis
Economist.com – 2 novembre 2015 – Contrer le piratage informatique : comment les entreprises peuvent-elles se défendre? (en anglais)
Passage choisi
Financial Post – 22 septembre 2015 – « Si leurs données n’ont pas encore été piratées, elles le seront » : les sociétés savent très bien que le piratage informatique est inévitable, mais elles ne l’admettront pas publiquement (en anglais)
Passages choisis
Investmentnews.com – 22 septembre 2015 – La SEC condamne une société de services-conseils pour une faille de cybersécurité avant que les données soient piratées (en anglais)
Passage choisi
Financial Post – 5 juin 2015 – Michael Calce, alias « Mafiaboy », avertit que les pirates informatiques attaquent les sociétés 24 heures par jour, 7 jours par semaine (en anglais)
Passages choisis