Alert:
A nationwide postal strike or lockout may occur as early as November 3, 2004. Dealer Members must take steps to ensure that document delivery requirements prescribed under CIRO Rules continue to be met.
Overview
IIROC has developed a cybersecurity self-assessment tool (self-assessment tool) primarily for small and medium- sized IIROC firms. The purpose of the self-assessment tool is to help IIROC firms identify areas of strength and weakness based on their information security practices. The scope encompasses most practices at IIROC firms that affect cybersecurity.
Background
Regular self-assessments1 are a critical component of a firm’s cybersecurity program. They help firms and organizations identify gaps and vulnerabilities in their cybersecurity controls and strengthen and enhance the overall cybersecurity posture and maturity of the firm.
IIROC required mandatory self-assessments of all our member firms in 2016 and again, in 2018. The results provided both IIROC and the firms useful information about the posture and maturity of firms and the industry. The results helped guide IIROC’s future responses and educational initiatives, and helped firms identify areas of improvement and enhancement.
Following the success of the past self-assessments and considering the importance of regular self-assessments, IIROC developed a free self-assessment tool to encourage IIROC firms to continuously evaluate and assess their cybersecurity posture.
We engaged Deloitte, who developed and facilitated the mandatory self-assessments in 2016 and 2018, to develop the new self-assessment tool. A working group of IT and security experts from small and medium-sized IIROC firms tested and provided feedback to IIROC and Deloitte to help make the self-assessment tool relevant, easy-to-use, accessible, and useful for IIROC firms.
What framework is the self-assessment tool based on?
The self-assessment tool is based on the NIST Cybersecurity Framework version 1.1 and Cybersecurity Maturity Model Certification (CMMC) 1.0 and parts of version 2.0.2 The easy-to-use questionnaire identifies capabilities that should be in place for various domains, and will help firms highlight areas of weakness to improve upon.
What are IIROC’s expectations around the use of the self-assessment tool?
The use of the self-assessment tool is voluntary. However, given the ever-growing threat of cyberattacks and risk of cyber breaches, we strongly recommend that all firms conduct a cybersecurity self-assessment as often as needed but at least once every two years to assess their posture and maturity and identify any critical gaps.
How can I get the self-assessment tool?
The self-assessment tool is available to IIROC firms. The firm’s UDP, CFO or CCO can request a copy of the self-assessment tool from IIROC by filling out this form.
How do I complete the self-assessment tool?
These are the steps to follow:
What reporting or results will the self-assessment tool provide?
The results of the self-assessment will provide an indication of the relative risk associated with the collection of cybersecurity measures protecting the IIROC firm being assessed.
These results will be summarized in three main reports:
How can I get more information on how to use the self-assessment tool?
You can get further information on the self-assessment tool by