February 9, 2016 | Toronto | by Laurie M Clark 


Education thwarts HACKERS!

2 case studies on how to better manage security breaches.

Recently, a slew of technical experts have come forward to discuss how to thwart would-be hackers from breaching the security measures protecting our business data and information. Especially today, as we increasingly use cloud services to run our business operations as efficiently as possible, we are more vulnerable to cyber attack.

While that discussion is of interest regarding how to deal with tactical and technical security measures, most ‘experts’ don’t recognize which measures may be most needed for many Canadian investment participants. Many experts focus on the highly sophisticated and technical breaches when some of the largest security breaches in recent times have been the result of a lone individual making simple mistakes which had serious consequences.  It’s actually the non-James-Bond-type events that can cause the greatest damage.

SUI has been asked by many capital market firms to conduct operational, technical and a variety of business security audits. We’d like to share our findings as examples of ‘non-egregious’ events that could have been avoided with more defined policies and procedures, thus eliminating embarrassing consequences for the firm including:

  • loss of buisness and professional reputation
  • loss of money
  • large legal costs
  • loss of public trust
  • loss of business
  • loss of employee morale


An increase in the targeting of financial institutions in the past few years is echoed in the research conducted by Price Waterhouse Coopers, which found that 45 percent of financial institutions have suffered from economic crime in the past year. It found that the top threats to the financial sector are asset misappropriation (67 percent), followed by cybercrime (39 percent).

When dealing with security breaches of a criminal nature – that is, with the intent to commit a crime - there are technically sophisticated measures firms can use to deal with this aspect; and there are a myriad of organizations that offer those sophisticated tools and systems by which to handle potential threats. 

However, SUI is more interested in the security risk that befalls all organizations at one time or another when non-James-Bond-type events occur; and it has become the greater common risk. It is in this area that Smarten Up Institute has assisted many financial firms. Because we’ve reviewed and audited instances of security breach and have put definable procedures in place at client sites to manage the breach, we have gone on to develop a program to assist firms and their staff in dealing with this growing concern. Our program uses a multi-level approach, which includes training, policy and procedure creation, review and audit, and conducting surprise live ‘tiger tests’ with our specialized SUI Tiger Team,

It’s commonplace in today’s world for everyone to have access to enormous amounts of sensitive information and yet, many firms fail in helping associates to truly understand and exercise the regime of compliance and governance to which the firm and its staff are bound.

Compliance regulations are ever increasing and justifiably, they concentrate on aspects of the investor’s financial transactions and how the firm processes client interactions and requests. However, there is much more to accomplish in having all members of a firm understand the importance in dealing with information gathering, retention, distribution and maintenance.

Some firms don’t want to publicize their challenges or events as they believe it may promote they have a problem with security, which leads to increased breaches; also not a sexy topic nor a revenue generator. A paragraph that marks the topic in the HR Employee manual is typically the most attention this important topic will get.  

Case #1


Recently, an individual took their company laptop offsite and misplaced it. When they remembered where they had left it and went to retrieve it, it was not to be found. This put the entire financial firm’s client information contained on the laptop’s hard drive in reach of the public and accessible to anyone who explored the computer. There was no criminal intent; it was simply an accident. In fact, we at SUI argue that information being disseminated to the wrong party typically happens without any criminal intent; rather, the reasons for most occurrences are ignorance (the person was not aware they were divulging the inappropriate information) or accident (the person did not wilfully intend to cause a security breach).

We have found that in the case of ignorant breach, where the person isn’t aware they are divulging sensitive information, the cure is quite simple and effective. Mandatory and repetitive education for all staff dealing with the governance standards of the firm, including having straightforward rules dealing with the handling of the firm’s and the investor’s private information.

Financial firms do provide excellent repetitive instruction to members in senior positions; however, there is a real need for a regular and repeatable compliance program for all staff when it comes to privacy of information and the consequences to the firm when private and privileged information is inadequately protected.

Of course, as freedom of information becomes more abundant, we will be forever debating that it’s this very access to information that is in fact causing us to tighten our path to information.  For example, how do you view the dissemination of information by Wikileaks; do you agree that under the freedom of information rules everything is accessible or was the dissemination of information by WikiLeaks to foreign governments an illegal breach in security?  Julian Assange writes, "The Internet, our greatest tool for emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen".

Case #2


How do we ensure any breach is brought to the attention of the correct authorities as soon as possible so it can be dealt with effectively?

This is a real conundrum in the financial industry. That is, if there is a security breach, it is incumbent on the firm to establish immediate and tight controls in order to deal with the obvious outcry that will occur when the event is made public – with their staff, executives and board members, and with their clients and regulators.

And here’s the rub. By the very nature of our business, the financial community does not share its information readily. The security industry’s success is founded on two emotional responses – the greed and fear of the investing public; and capital markets firms themselves like to promote their image as sound, strong and profitable.  Therefore the concept of divulging information which makes a firm look weak or inept is not appealing.

How do we change this so that effective measures can be put in place to deal with a breach in security that must be made public? How do we get our firms to embrace the fact that we do live in a cyber-age and information can be breached quickly and disseminated to outside parties even more quickly?  How do we engender a style of leadership that places integrity first and foremost, putting the onus on disclosing the event, rather than being focused on the ‘image impact ‘of the event itself?  

[NOTE Regulation in Canada pertaining to Notification of Breach:

Bill S-4, the Digital Privacy Act, was passed by Parliament and received royal assent in June 2015. The Act makes several important amendments to PIPEDA, including new mandatory breach reporting requirements for organizations and enhanced enforcement powers for the privacy commissioner of Canada. It is important to note that some of the amendments have not yet come into force.

b. Provincial

Alberta, B.C. and Québec have also enacted comprehensive private sector privacy legislation, entitled the Personal Information Protection Act (PIPA) in Alberta and B.C., and An Act respecting the protection of personal information in the private sector (Québec Privacy Act) in Québec.]

SUI recommends spending less time trying to close the door after the horse has bolted and instead move to a proactive security model. 

This is not easily done as has been demonstrated in the following two very public cases where a serious breach was committed both at Citigroup and at IIROC, with loss of sensitive client information and a lack of alacrity in disclosing the breach to the appropriate authorities and the general public.

The State of California was one of the first in the US to see the enormity of the issue of personal data information security and took steps in 2005, making it a legal requirement for companies to publicly disclose loss of personal data information.

One of the most public cases of security breaches was with one of the largest financial companies in the world: Citigroup. It lost personal data on 3.9 million people. The data was on a set of backup tapes that were sent by a package delivery service from point A and never arrived at point B. It was a huge loss, and even though it was unlikely that any bad guys got their hands on the data, it had profound effects, resulting in subsequent legislation on the management of personal data and the policies and procedures that govern it. It also contributed to the public’s loss of confidence in Citigroup – to the point where the company’s share price was affected.

In another example, the Investment Industry Regulatory Organization of Canada (IIROC) had a security breach that resulted in the loss of data on some 52000 clients of 32 investment firms. It later admitted that not only had it lost the client information it routinely collects from investment firms as part of its regular compliance reviews, but, more importantly, that intelligence had not been encrypted. Also, while the event had occurred in February, there was no disclosure until April.

IIROC, which oversees the capital markets in Canada and was viewed then by the industry as having enacted many costly compliance rules governing the investment industry, was seen by the industry as not playing by their own rule book in the management of their data or of this security breach. Not only had the information been lost, it had also not been encrypted. There was much industry and public criticism on the amount of time it took IIROC to disclose the event and the resulting outcry was loud and clear when the event was made public, with a loss of confidence in the organization and its leader.

Attacks such as these show that even though large financial institutions spend vast amounts of money on information security, there are still gaps. All organizations should take and maintain inventories of all their assets on their network and should assess the risks that different classes of assets face. They should also ensure all employees are adequately trained in security awareness since they are on the front line and can be helpful in spotting potential vulnerabilities before they become a major problem.


Our findings recommend that employers be more proactive and protect themselves by:

  • Doing more to educate employees.
  • Enforcing non-disclosure agreements, which should include, in checklist form a description of information that departing employees may and may not take with them.
  • Using technology to monitor where corporate data is going and how it's leaving and notify managers and employees when sensitive information is inappropriately sent or copied.
  • If employees want to secure some rights over their work, they should negotiate this with their employers up-front.
  • Employees must understand what their employee contracts, and the policies and procedures of the firm require of them with respect to confidentiality. Additionally, employees who want to maintain control over their social media such as blogs and Twitter accounts should do it in their own name and on their own computer, wherever possible.

No financial institution can afford to be complacent because any organization can be the victim of a costly security breach, regardless of its size. Security is too important not to be given due consideration and the threats against the financial sector look like they will only continue to escalate.

Please email SUI at for information on our ‘Cyber Security Program’ or on any of our over 155 certificate courses and industry professional designations.


Related Courses