The Investment Industry Regulatory Organization of Canada (“IIROC”) has published a Cybersecurity Notice on Ransomware (the “Notice”), which flags a recent uptick in ransomware attacks on IIROC firms and provides guidance on how IIROC firms should prevent, detect, respond to and recover from ransomware attacks.
Ransomware has become the most common cyber-crime. While ransomware inherently consists of a malware-based attack on computer systems that results in encryption of data and a demand for ransom, it now increasingly involves a “double extortion” model, where sensitive data (personal information and/or confidential business data) are exfiltrated from those systems, with a threat to release them publicly if a ransom is not paid.
The Notice is the latest development in IIROC’s ongoing efforts to increase cybersecurity preparedness among firms, and follows a series of related notices including IIROC’s Cybersecurity Notice on Mandatory Incident Reporting (which we discuss in our previous blog post).
What are the implications of IIROC’s Cybersecurity Notice on Ransomware?
IIROC member firms must be aware of the heightened risk of ransomware attacks, and are expected to implement comprehensive measures to prevent, detect, mitigate, respond to and recover from such attacks. The Notice is presented as a set of recommendations for what IIROC firms should do at a minimum to reduce exposure, but the recommendations are not exhaustive.
What protection, identification and detection strategies does IIROC recommend?
IIROC identifies the key threat vectors for ransomware as including:
- Phishing attacks, i.e. compromise of a system via employees clicking on malicious links or attachments;
- “Drive-by downloads”, i.e. individuals visiting compromised websites or clicking on malicious advertisements on legitimate websites;
- Stolen credentials made available by employees’ re-use of breached credentials in the work context; and
- Brute-force entry into vulnerable networks or servers.
To prevent ransomware from deploying, IIROC advises firms to establish comprehensive controls, which should include:
- Firm-level controls, policies and procedures to ensure that anomalous behaviors are quickly addressed, and that suspected attacks are quickly investigated.
- Information back-up controls to ensure all systems and data are backed up (with frequent back-ups for critical information), and that all backups are tested for integrity and stored separately from production networks.
- Technology controls to protect devices and networks, including strong access management controls, regular system updates, web filtering tools, remote desktop access restrictions, anti-malware/virus capabilities at key points in the environment (including “sandboxing” to safely test malicious attachments), and a Security Information and Event Management (“SIEM”) platform to aggregate event and security data to assist with response and recovery.
- Employee, contractor and advisor education to encourage vigilance when clicking on links, including through frequent phishing awareness training and tests, and regular reminders of the firm’s response protocols and the importance of notifying IT whenever unusual activity is noticed.
- Monitoring for anomalous behavior to detect and mitigate attacks, including by implementing a Continuous Security Monitoring (“CSM”) function and an Endpoint Threat Detection and Response (“EDTR”) solution, and by using other tools to monitor for malicious addresses, network traffic activity, and abnormal login activity (including unusual lateral movements through networks).
As part of the firm-level controls, IIROC also recommends considering what type and amount of cybersecurity insurance is appropriate given a firm’s risk levels. The importance of obtaining separate cyber-specific insurance policies was recently emphasized in a decision from the Ontario Court of Appeal, in which the Court narrowed the availability of insurance coverage for cyber matters under traditional insurance policies (see our recent blog post for more details on the case, Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 0159).
What recovery and response strategies does IIROC recommend?
IIROC recommends that firms implement controls to help with recovery and response in the event of a ransomware attack, which should require the firm to:
- Immediately isolate the infected device to limit the scope of the attack, including through network protection measures such as updates, account suspensions, and requiring new log-in credentials.
- Determine if a salvageable clean backup is available for any of the data and if so, ensure the backup contains no malware and that the data recovery will not impede a thorough forensic investigation, and consult with legal counsel on any decision to pay or not pay the ransom.
- Investigate the incident to assess the scope of the attack, including by engaging an external forensic team to determine the root cause, and by determining if a data breach occurred that affected private or confidential information (and if so, follow incident response protocols, including any applicable notification requirements). (As an aside, it may be prudent to consult a breach coach prior to engaging that forensic team in order to evaluate a legal strategy and better understand the role of solicitor-client and litigation privilege in the context of a breach response).
- Report the incident to applicable authorities, including privacy commissioners, regulators and law enforcement, and provide any required information to the firm’s IIROC Financial & Operations Compliance manager if the incident is subject to IIROC Rule 3100(B.1.1) Cybersecurity Reporting.
Interestingly, IIROC does not wade into the thorny (and legally complex) question of evaluating whether a ransom should be paid in order to recover data or prevent the publication of personal information. Such a decision involves complex and quickly evolving legal and practical considerations that should be evaluated on a case-by-case basis with the help of experienced practitioners.
By Gregory Corosky, Daniel G.C. Glover and Michael Scherman
- Should directors consider creditors’ interests when a corporation is near insolvency? - November 21, 2022
- Domestic violence: Obligations and responsibilities of employers in Quebec - October 26, 2022
- An evolving digital privacy landscape—Comparing the federal Bill C-27’s CPPA to Quebec’s Bill 64 - October 24, 2022