IIROC issues Notice regarding cybersecurity in cloud services and application programming interfaces

July 6, 2020 | David Krebs

On June 24, 2020, the Investment Industry Regulatory Organization of Canada (“IIROC”) released an Education Notice to members (“Cybersecurity – Cloud Services and Application Programming Interfaces”) outlining key elements of cybersecurity strategies pertaining to adoption and implementation of cloud services and to application programming interfaces (“API”).

Earlier in the spring, IIROC released a Notice to members regarding increased risk to cybersecurity due to the COVID-19 pandemic (COVID-19 and Cybersecurity – Tips for Advisors and Employees). As we have reported in previous blog posts, these increased threats do not only affect the financial industry.

This current IIROC Notice was released due to an increase in adoption of cloud services and, with that increase, a rise in bad actors targeting cloud services and vulnerabilities in APIs to harm organizations. This Notice contains useful tips for any organizations, not only IIROC member institutions.

The following risk mitigation controls were highlighted for cloud services:

  • Secure Authentication Methods: MFA (Multifactor Authentication) is a must in the cloud environment and should be strictly enforced so that only authorized personnel can access systems; that is, ensuring access cannot be gained by username and password only.
  • Roles and Responsibilities: the importance of understanding what security features are managed by the vendor and which will be handled by the organization/purchaser to ensure no gaps exist.
  • Effective on and off-boarding: this will ensure past employees, contractors and other staff do not have access after they are no longer authorized users.
  • Vendor Due Diligence: we could not agree more that understanding the vendor, what controls and compliance policies are in place and their data flow and residency is crucial.
  • Monitoring: procedures should exist that allow for timely detection of “anomalous behaviour.”

The following risk mitigation controls were highlighted for the use of APIs:

  • Data Flows: firms should conduct a review of the type of data that flows through an application, classifying and mapping controls. This should be a key starting point for any application or system implementation – organizations need to understand the data that is at stake and its sensitivity.
  • Authentication and Encryption: this is part of cybersecurity hygiene, and options should be assessed based on types and sensitivity of data.
  • Brute Force and DDoS attack detection: allowing connection from anywhere is a strength but also key vulnerability. Firms should assess detection solutions (for example, detecting suspicious behaviour from malicious IP addresses).
  • API design: applications should be designed with data security in mind. If it is not designed to be secure from the outset, it will be more difficult and less effective if it is patched after-the-fact. For more information regarding “privacy by design,” please refer to a past entry on the subject.

This Notice provides a good reminder of steps organizations can take to protect themselves from cybersecurity threats. Having a strong program in place that reviews and monitors the changing threat landscape is an effective way of minimizing risks associated with cybersecurity incidents.

If you would like more information about how we can help your organization with cybersecurity preparedness, vendor selection or data privacy, please reach out to David Krebs or another member of our privacy and cybersecurity team.

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.