IIROC issues Notice regarding cybersecurity in cloud services and application programming interfaces

( Disponible en anglais seulement )

6 juillet 2020 | David Krebs

On June 24, 2020, the Investment Industry Regulatory Organization of Canada (“IIROC”) released an Education Notice to members (“Cybersecurity – Cloud Services and Application Programming Interfaces”) outlining key elements of cybersecurity strategies pertaining to adoption and implementation of cloud services and to application programming interfaces (“API”).

Earlier in the spring, IIROC released a Notice to members regarding increased risk to cybersecurity due to the COVID-19 pandemic (COVID-19 and Cybersecurity – Tips for Advisors and Employees). As we have reported in previous blog posts, these increased threats do not only affect the financial industry.

This current IIROC Notice was released due to an increase in adoption of cloud services and, with that increase, a rise in bad actors targeting cloud services and vulnerabilities in APIs to harm organizations. This Notice contains useful tips for any organizations, not only IIROC member institutions.

The following risk mitigation controls were highlighted for cloud services:

  • Secure Authentication Methods: MFA (Multifactor Authentication) is a must in the cloud environment and should be strictly enforced so that only authorized personnel can access systems; that is, ensuring access cannot be gained by username and password only.
  • Roles and Responsibilities: the importance of understanding what security features are managed by the vendor and which will be handled by the organization/purchaser to ensure no gaps exist.
  • Effective on and off-boarding: this will ensure past employees, contractors and other staff do not have access after they are no longer authorized users.
  • Vendor Due Diligence: we could not agree more that understanding the vendor, what controls and compliance policies are in place and their data flow and residency is crucial.
  • Monitoring: procedures should exist that allow for timely detection of “anomalous behaviour.”

The following risk mitigation controls were highlighted for the use of APIs:

  • Data Flows: firms should conduct a review of the type of data that flows through an application, classifying and mapping controls. This should be a key starting point for any application or system implementation – organizations need to understand the data that is at stake and its sensitivity.
  • Authentication and Encryption: this is part of cybersecurity hygiene, and options should be assessed based on types and sensitivity of data.
  • Brute Force and DDoS attack detection: allowing connection from anywhere is a strength but also key vulnerability. Firms should assess detection solutions (for example, detecting suspicious behaviour from malicious IP addresses).
  • API design: applications should be designed with data security in mind. If it is not designed to be secure from the outset, it will be more difficult and less effective if it is patched after-the-fact. For more information regarding “privacy by design,” please refer to a past entry on the subject.

This Notice provides a good reminder of steps organizations can take to protect themselves from cybersecurity threats. Having a strong program in place that reviews and monitors the changing threat landscape is an effective way of minimizing risks associated with cybersecurity incidents.

If you would like more information about how we can help your organization with cybersecurity preparedness, vendor selection or data privacy, please reach out to David Krebs or another member of our privacy and cybersecurity team.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à [email protected].

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à [email protected].