In today’s business climate, securities issuers and dealers are making a serious mistake if they fail to fully appreciate the implications of cyber-security for their business. Cyber-risk is the “new normal” in the financial industry and a failure to recognize and plan for this known business risk exposes companies (and their directors and officers) to civil claims and regulatory prosecution.
Over the last few years there have been several high-profile ‘hacks’ that illustrate the types of vulnerabilities that securities dealers and issuers face. In 2015, after a group of hackers stole and posted user data for the dating site Ashley Madison, the company’s revenue fell by approximately 25%, and it paid millions in regulatory penalties and the settlement of class action claims. More recently, the massive hacking of Equifax is believed to have provided identity thieves with confidential personal and financial information for more than a hundred million people. The breach, as well as the credit reporting agency’s largely-maligned response, resulted in a precipitous drop in Equifax’s share price, the announcement of numerous class action lawsuits, a congressional investigation, and the termination of the company’s chief executive and other senior officers.
Securities dealers are prime targets for financially or politically motivated hackers because they are often closely interconnected, maintain extensive personal and financial data, hold and trade large sums, and are (to some) symbolically representative of global capitalism. The Securities and Exchange Commission (“SEC”) announced in 2015 that 88% of broker dealers and 74% of advisors had been the target of a cyber-attack in the past year. In the very recent Staff Notice 33-321 – Cyber Security and Social Media, the Canadian Securities Administrators (“CSA”) reported that 51% of firms had experienced a cyber incident in the past year. Very recently, the SEC (which, ironically, suffered a cyber-breach of its own in 2016) established a specific Cyber Unit to target internet-based misconduct.
The International Organization of Securities Commissions has categorized cyber-attacks in the financial sector as falling into one of three categories:
(a) Attacks on confidentiality: these typically involve unauthorized access to sensitive data, such as information on corporate deals, intellectual property such as trading algorithms, or clients’ access credentials or information;
(b) Attacks on integrity: these may affect the accuracy or consistency of data or systems relating to financial assets or personal information by changing or destroying important information; and
(c) Attacks on availability: typically, these will disrupt the orderly and efficient operation of trading or reporting systems.
Stolen information may be used to commit fraud or identity theft, engage in manipulative trading, disrupt trading platforms or other important market architecture, or seek an unfair competitive advantage. In some cases attackers may seek a quick ‘ransom’ payment (often in Bitcoin) in exchange for reinstating access. These events can be enterprise-threatening, and the cost of dealing with them is rising; in 2015 the average cost of responding to a data breach was estimated to be USD$3.79 million. These costs can include the cost of notifying clients of the breach (including setting up a call or contact information center, contacting credit monitoring agencies, and retaining the services of a public relations firm), investigating the breach, reviewing the internal processes and policies that have been shown to be deficient, and providing compensation to affected individuals. There will also be costs associated with the hiring of legal counsel and other forensic experts, as well as potentially significant costs associated with defending the resulting civil claims and regulatory investigations.
Liability can not only result from breaches or attacks carried out by external hackers or third parties, but also where employees lose or misuse confidential information. In 2012, the Ontario Court of Appeal recognized that plaintiffs could sue defendants for the tort of invasion of privacy (or ‘intrusion upon seclusion’) even where they did not suffer any economic harm. Since then, courts have certified several class action claims for this cause of action. One case, for example, involved a bank employee who improperly accessed and disseminated mortgage application information. In another case, the court certified a class action involving a government employee who lost a hard drive with student loan information. Prosecuting such claims as class actions can amplify what are often small claims on an individual level into very large claims that can be life-threatening to smaller issuers and dealers. Even where the damages are small, the cost of managing a response to an incident can be very high.
Cyber-liability has also become an increasing cause of regulatory scrutiny, and securities regulators are now conducting detailed assessments of the readiness and ability of securities dealers to handle cyber-risks. The CSA have identified cyber-security as a priority for 2016-2019, and have recently published notices that cite issues with the adequacy of public disclosure of cyber-liability risks and with registered dealers’ cyber-security and social media policies. The CSA has made it clear that while only 57% of firms have cyber-security policies in place, it is its expectation that “[a]ll registered firms should adopt cyber security…practices that include preventative practices, training to all staff and a response plan.” The authors expect that compliance audits carried out in the next year will deal with these issues specifically.
The MFDA has also published a bulletin aimed at enhancing guidance on cyber-security issues for its members, and IIROC has published best practices and incident management guides for its Dealer Members. In combination with the most recent guidance in Staff Notice 33-321, these publications are excellent sources for registered dealers looking to bolster their policies and procedures in this area. More generally, the recently passed Digital Privacy Act has made a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), including a mandatory requirement for organizations to give notice to affected individuals and the privacy commissioner in certain circumstances, to notify other organizations if such notice can reduce risks or mitigate harm, and to keep records of all breaches. Fines for violations can be as high as $100,000.
Potential perpetrators of cyber-attacks are increasingly sophisticated, and can cause extensive damage very quickly. Firms lacking the proper governance structure and systems to effectively manage a cyber breach are likely to find themselves in serious trouble when this risk materializes. Effective preparation starts with understanding the particular risks of a business, retaining the right personnel, having detailed policies and procedures in place, and having appropriate insurance coverage. Cyber insurance (which only 59% of respondents surveyed by the CSA have) must be a key part of this planning because the right policy will provide access to a range of resources in the event of a breach, including a law firm with the expertise to act as “breach coach” and coordinate the response. These policies will typically provide coverage for the very significant cost of responding to a cyber-breach, something that conventional insurance may not provide. Reviewing your insurance and understanding where there are gaps in coverage is therefore a crucial first step.
The CSA expects firms to have a “cybersecurity framework” in place to manage risk. This is to be more than just a reactive response plan, and will entail “a complete set of organizational resources, including policies, staff, processes, practices and technologies used to assess and mitigate cyber risks and attacks.” Firms must ensure there is internal integration between business units and that the key responders in the case of a cyber-event are not isolated from the broader business. Having a strong plan that includes clear and delineated responsibilities and trained and experienced personnel is particularly important in the first few days of a cyber-breach, where time can be critical. Having the right framework and training will also reduce the overall cost of the response and the need to rely on expensive external service providers. Finally, the speed of technological innovation means that issuers and dealers must regularly and thoroughly review the adequacy of their current cybersecurity framework to ensure they can effectively manage this evolving risk.
 See Cybersecurity Examination Sweep Summary, SEC National Exam Program Risk Alert, Vol IV, Issue 4, published February 3, 2015. Available online at: https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
 See IOSCO, Cyber Security in Securities Markets – An International Perspective (April 2016), available online at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf (“IOSCO Report”).
 See IOSCO Report, citing the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis.
 Jones v. Tsige, 2012 ONCA 32. This tort requires a plaintiff to prove that the defendant intentionally (or recklessly) invaded the plaintiff’s private affairs or concerns without lawful justification, and that a reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.
 Evans v Bank of Nova Scotia, 2014 ONSC 2135. Somewhat similarly, in 2015 in the United States a Morgan Stanley financial adviser was fired for stealing approximately 350,000 clients’ account data and posting some of it for sale online.
 Condon v. Canada, 2014 FC 250.
 CSA Staff Notice 11-332 Cyber Security; CSA Multilateral Staff Notice 51-347 Disclosure of cyber security risks and incidents; CSA Staff Notice 33-321 – Cyber Security and Social Media,
 See the Best Practices Guide online at: http://www.iiroc.ca/industry/Documents/CyberIncidentManagementPlanningGuide_en.pdf
The Cyber Incident Management Planning Guide is Available online at: http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf
 CSA Staff Notice 33-321 – Cyber Security and Social Media,
 CSA Staff Notice 11-332 Cyber Security.