On June 24, the Investment Industry Regulatory Organization of Canada (IIROC) published an education notice on cybersecurity recommending risk management practices related to cloud services and Application Programming Interfaces (APIs).
The Notice provides guidance on some technology and cybersecurity controls firms should consider.
1. For controls related to the deployment and management of cloud environment, firms should:
Implement secure authentication methods
Understand clear roles and responsibilities
Ensure an effective user onboarding and off boarding process
Assess the cloud service provider
Monitor the cloud environment
2. For controls related to APIs, firms should:
Review data flows and processes
Use strong authentication and encryption methods
Consider solutions to detect brute force and distributed denial of service (DDoS) attacks
Review API designs and changes
The IIROC education notice can be found here: