In early 2017, the Investment Industry Association of Canada (IIAC) needed guidance for their member broker-dealers on evaluating vendor cyber security readiness. IIAC wanted a standard by which member firms could understand a vendor's true security stance and from that the risk inherent in sharing data with that vendor. The issue is material because broker-dealers routinely share extensive personally-identifying information as well as detailed records of the investment portfolios of–and transactions for–their investors. Enough data can be included in these arrangements to unwittingly enable identity theft, fraud, investment strategies, and likely even information on proprietary advice and algorithms. Vendors in the space range from law firms to the shops that print statements; they are many and their level of competence in cyber security varies considerably.
I volunteered. I was already on the IIAC cyber security working group and had previously participated in a panel at an IIAC conferences on cyber security. Moreover, I'd instituted a risk management and internal controls framework with a vendor in their industry, and had written my masters degree dissertation on the importance of alignment between vendors and regulated industry when it came to risk management. It is a subject that I find interesting because it is material to many industries–especially regulated industries–and I don't find it is very well understood.
When IIAC was looking for volunteers to participate in the vendor readiness evaluation guidance, I jumped at the chance. This was not a paid activity.
Working collaboratively with the IIAC working group, I put forward a high-level evaluation shaped with these objectives:
Designed to be a counterpart to a detailed checklist put forward by Vanessa Jalbert–another member of the working group based on her work at MD Financial Management–I put together a set of 20 questions based on regulatory and cyber security standards including: OSFI-B10; the NIST Cybersecurity Framework; the SOC-2 audit standard set of controls; Public Safety Canada’s “Top 4 Strategies to Mitigate Targeted Cyber Intrusions”; and the CIS Critical Security Controls.
For each of the following twenty questions, I listed criteria and added some guidance on interpreting the results. This was designed to make the use of the questions below very clear to non-practitioners in risk (or cyber security).
The first three sections are designed to guide the user to understanding the relationship between the broker-dealer and its vendor(s), the nature of the data, the nature of the risk, and the vendor's stance towards risk (at a high level). The final section gets into technical controls.
PART II – IDENTIFY THE SERVICE
PART III – SERVICE PROVIDER ENTITY CONTROLS
PART IV – SERVICE PROVIDER TECHNICAL SECURITY CONTROLS
I cannot share the final form of the work, which was published by the IIAC for member use only, but I can certainly share my draft submission. I have published an article based on my humble portion of that final work here.