L’Financial Markets Authority issued a public notice on January 26 to remind large financial institutions under its jurisdiction of the risks posed by cybersecurity issues.
“The recent incidents have put into perspective the pervasive threat to all organizations in terms of information technology risks,” said in a statement Louis Morisset, CEO of the Authority. Since 2013, the AMF has continuously communicated to the various clienteles that it oversees its growing concerns with regard to cyber risks. We are asking them again today to significantly increase their level of vigilance and to step up the surveillance of their technological environments. “
30 events in 2 years
In interview at Insurance portal, Sylvain Théberge, spokesperson for the Authority revealed that around thirty events related to the cybersecurity of large financial institutions have been brought to the attention of the Authority over the past two years. Faced with this upsurge, the regulator has seen fit to reiterate certain demands on the industry, said Mr. Théberge.
“It is our responsibility to make our clients understand that we are supervising that we can clearly see what has been happening in recent years. What the Desjardins group or Promutuel Insurance are just a few examples. There is an upsurge in computer security incidents. There is nothing alarming behind our goal of communicating this reminder of good habits to have. It is also a reminder that we are monitoring the industry like a good father does, ”says Théberge.
3 requests
Thus, the Authority is making three requests to large financial institutions via its public reminder:
- Submit their technological environments to periodic intrusion tests, in order to assess the correct functioning and the sufficiency of the mechanisms in place;
- Raise awareness once again and on a regular basis to all their staff about the risks that phishing campaigns represent for information security;
- That business continuity plans are in place and up to date, in order to deal with any possible crisis management and to minimize potential damage.
Are there any shortcomings in these three chapters? No, said M. Théberge. “Generally speaking, there is a concern and work is being done. The important thing is not to rest on your laurels. Large financial institutions shouldn’t take it for granted that their systems do the job. You have to test them. We must carry out intrusion operations, while being at the cutting edge of technology and security. Financial institutions have the right things in place, but they must maintain the highest possible level of vigilance. “
Communicate promptly
Could financial institutions targeted by computer attacks have done things differently? “The role of the Authority is not to criticize or pass judgments,” says Théberge. Both in terms of supervision and regulation, our role is to ensure that the priority of financial institutions is to secure their systems in the face of such situations ”
No one is bound to the impossible, recognizes Mr. Théberge. “We understand the situation of the institutions that have been targeted, because there is no victim of a cyber incident who can be proud of that. However, we want to ensure that concern and vigilance in the face of this issue is as high as possible. “
The AMF ends its letter by reminding you that it is the responsibility of the financial institutions and the companies it supervises to promptly inform it of any operational incident as well as any breach of personal information protection. His spokesperson also recalled this notion in an interview with the Insurance portal.
“As soon as there is such a cyber incident, the financial institution must report it promptly and ensure that the measures that are in place are adequate. They have no interest in delaying the transmission of information and not taking these risks seriously. We have no concerns in this regard. Our role is to reiterate the message that vigilance must always be at its maximum, ”said Mr. Théberge.
–
