Cybersecurity audits... Don't neglect them!
Businesses and workers in the financial sector are prime targets for hackers. External audits and assessments are essential tools to test your defenses and uncover vulnerabilities before they can be exploited.
Companies are much more aware than before of the financial, operational, and reputational risks that cybersecurity issues can entail. The number of stakeholders interested in these matters has also increased. Investors or potential buyers, for example, will want to obtain detailed and verified information about a company's cybersecurity capabilities.
"These assessments are divided into two main categories: compliance, which provides an overview of governance, processes, and security technologies, as well as technological tests, which directly seek out vulnerabilities in the company's defenses," explains Yassir Bellout, Associate, Cybersecurity Advisory Services at KPMG Canada.
Compliance assessments are done every two or three years, but technological tests should be much more frequent (monthly or quarterly). "It's essential to find vulnerabilities and patch them up as quickly as possible," adds Yassir Bellout.
For a long time, audits mainly served to check compliance with certain standards, such as ISO 27001, or specific norms adapted to different sectors of activity. It was therefore about comparing strategies to a fixed framework. But a cyberattack is anything but fixed.
"There are always humans on one side trying to bypass the company's defenses, and on the other side, humans striving to prevent them," says Amir Belkhelladi, Associate and National Leader of Cybersecurity Services at Deloitte Canada. Therefore, cybersecurity audits have become very dynamic to better correspond to this reality."
"The advantage always goes to attackers, as defenders must ensure they spot and patch up numerous potential vulnerabilities, while attackers only need to find one to cause damage." — Yassir Bellout
IN 2021, NEARLY ONE IN FIVE CANADIAN BUSINESSES WAS AFFECTED BY AT LEAST ONE CYBERSECURITY INCIDENT. FOR BUSINESSES WITH 50 TO 249 EMPLOYEES, THE PROPORTION WAS ONE IN FOUR, AND FOR BUSINESSES WITH OVER 250 EMPLOYEES, IT WAS OVER ONE IN THREE.
IN 2021, 61% OF CANADIAN BUSINESSES SPENT A TOTAL OF $9.7 BILLION TO DETECT OR PREVENT CYBERSECURITY INCIDENTS. THIS IS TWO BILLION MORE THAN IN 2019.
Source: Statistics Canada, Impact of Cybercrime on Canadian Businesses, 2021
Of course, audits continue to analyze policies, security procedures, and data management practices in place and verify that they comply with recognized standards or adhere to industry regulations. They also thoroughly examine different computer systems. But blind technological tests are becoming more common.
A firm like Deloitte, for example, will use "red teams," meaning ethical hackers, to conduct fake attacks on a company. These operations can last several weeks. The hackers take the time to study their target, understand what is valuable to it, or could be valuable to attackers, assess defenses, and then attempt to breach them. The employees of the targeted company are unaware that it's a test.
"Financial services are very eager for these exercises, as the stakes are enormous for them in case of a security breach," notes Amir Belkhelladi.
Technological tests conducted within audits or simple cybersecurity assessments thus aim to replicate the cat-and-mouse game between attackers and defenders in this type of situation as closely as possible.
"The advantage always goes to attackers, as defenders must ensure they spot and patch up numerous potential vulnerabilities, while attackers only need to find one to cause damage," Yassir Bellout states. For this reason among others, it's necessary to multiply tests.
Could artificial intelligence (AI) upset the balance of power in favor of one side or the other? In the short term, both KPMG and Deloitte experts doubt it, but the consequences in the medium and long term remain harder to predict. "There's a lot of cybersecurity data that could eventually be used to train AI tools that would help with defense, but that remains to be seen," believes Amir Belkhelladi.
In its most recent risk analysis, the Office of the Superintendent of Financial Institutions (OSFI) is more concerned about the repercussions of several complicated geopolitical situations, notably the war in Ukraine. "With the emergence of new regional or global conflicts, risks attributed to targeted cyberattacks, and their repercussions, could become more common," the organization writes.
In April 2023, the Laurentian Bank's website, that of Prime Minister Justin Trudeau, as well as Hydro-Québec's website and mobile application, were all hit by a Russian group's cyberattack that rendered them inaccessible for a certain period.
"Company leaders become more aware of risks after they've been attacked," notes Yassir Bellout. As attacks multiply, the cybersecurity culture should continue to strengthen over the next few years.
New regulations require financial companies to be rigorous in protecting their data.
On the federal side, OSFI released guideline B-13 in July 2022, which will take effect on January 1, 2024. The Bureau also published a new Intelligence-Based Cyber Resilience Test Execution Framework (TCFR) in April 2023. This approach aims to enhance the technological resilience and cyber resilience of financial institutions in complex attack scenarios. The framework applies to all domestically significant banks and internationally active insurance groups.
In Quebec, since September 2022, Law 25 obliges companies to designate a person responsible for the protection of personal information and to publish their contact information on their website. In the event of a confidentiality incident, the organization must take reasonable measures to reduce harm to the affected individuals and prevent future incidents. It must notify the Commission d'accès à l'information du Québec and the affected individual if the risk of harm is serious, in addition to maintaining an incident register.
Starting from September 2023, organizations will need to establish and implement policies and practices to govern their personal information management and publish detailed and clear explanations about it. They will need to inform their clients about the methods used to collect data and the purposes for which they will use it, and also obtain free and informed consent for each objective and destroy or anonymize data once these objectives are achieved.
The Autorité des marchés financiers' guideline on managing risks related to information and communications technologies, effective since February 2021, must also be followed by insurers and deposit-taking institutions and trust companies. Firms and representatives must adhere to section 6.2 of the Inscribed Persons Governance and Compliance Guide. Brokers and securities advisers and fund managers must follow the directives of CSA Staff Notice 11-332 - Cybersecurity and CSA Staff Notice 33-321 - Cybersecurity and Social Media. The Canadian Securities Administrators and the Investment Industry Regulatory Organization of Canada also issue their guidelines.