Firms and representatives

Protection of data and personal information

For guidance on personal information protection and cybersecurity in the distribution of financial products and services, registrants (firms, independent partnerships and independent representatives) can refer to the Governance and Compliance Guide (pdf - 25 MB)This link will open in a new windowUpdated on June 1st, 2021 for registrants under the Act respecting the distribution of financial products and services (specifically sections 4.9 and 6.2).

This guide is intended to make registrants aware of their obligations and the AMF’s expectations regarding personal information protection, particularly with respect to the keeping of client records and access to those records by natural persons.

Registrants’ representatives must also comply with the confidentiality obligations set out in their respective codes of ethics. Under the Act respecting the distribution of financial products and servicesThis link will open in a new window, their ethical conduct is overseen by either the Chambre de la sécurité financière This link will open in a new window or the Chambre de l’assurance de dommages This link will open in a new window.

Last spring, the AMF published the Regulation respecting Alternative Distribution Methods (pdf - 208 KB)This link will open in a new windowUpdated on April 8, 2020, which governs the sale of insurance over the Internet. Section 13 of the Regulation requires firms and independent partnerships carrying on this type of activity to “ensure that the information provided by the client is collected, used, delivered and kept in a manner that ensures its confidentiality and security.”

Cybersecurity

The types of computer services used by registrants can have an impact on their cyber-risk exposure. Services such as remote access to computer systems, electronic delivery of documents or development of online platforms for the offering of products and services increase the attack surface and must be sufficiently secure to enable registrants to properly manage this risk.

The obligations and expectations that apply to registrants are set out in section 6.2 of the Governance and Compliance Guide (pdf - 25 MB)This link will open in a new windowUpdated on June 1st, 2021 for registrants under the Act respecting the distribution of financial products and services. This section also lists additional references that are available regarding cybersecurity good practices, relationships with third parties and incident disclosure.

Insight

How to prevent cyberattacks and detect cyber threats

  • Attend cybersecurity training sessions
  • Make sure software and applications are continually updated
  • Strengthen the security of WiFi network connections, including through the use of a virtual private network (VPN)
  • Don’t click on hyperlinks contained in e-mails or text messages from unknown or unexpected senders or on unknown websites
  • Don’t download attachments from e-mails or text messages from unknown or unexpected sources
  • Keep off-line data backups available

The AMF wishes to stress the importance of applying an adequate business continuity plan and of storing backup data that can be used in the event of a service disruption.

To find out more about inspections

End of the insight

Relationships with third parties and outsourcing

Registrants should also attend to cybersecurity issues in their relationships with third parties, particularly when outsourcing certain activities such as the use of cloud storage space and the application of compliance automation tools in new technology-based business models. In such situations, registrants should be aware of the risks associated with the service providers they use.

Incident disclosure

Firms and independent partnerships should prepare a business continuity and cyber incident response plan in case of a cyberattack or systems failure, including a process for the timely reporting of an incident to senior management and its disclosure to persons likely to suffer injury as a result of the incident. This plan should be reviewed periodically and disseminated to personnel.