Back to Blogs

How SideDrawer Helps IIROC Firms Achieve Effective Information Management

The Investment Industry Regulatory Organization of Canada (IIROC) is the main regulator in Canada that governs and monitors investment firms in the country. IIROC firms often struggle when it comes to information and data management, simply due to the massive volume of data associated with investment firms in Canada.

In this guide, we’ll break down how SideDrawer can better assist financial advisors, financial planners, and IIROC firm professionals better manage their data.

How SideDrawer Helps IIROC Firms Achieve Effective Information Management

 There are a number of baseline controls involved in information collection, creation, process, storage, and disposal in the context of IIROC information management. There is also a wide range of technology risks involved in developing such controls, particularly when it comes to data that is considered essential and confidential.


Inventory management is extremely important for IIROC firms. It’s vital to ensure that there is no confidential, sensitive, or private data that is unprotected. For investment firms, it’s vital that one’s inventory is in compliance with Canadian privacy legislation established and enforced by the IIROC. 


Information inventory management involves properly identifying each and every interaction with confidential and essential data, as well as where that data is kept.

Recommended Control

There are a number of recommended controls for handling information inventory the proper way:


  • Take the time to trace and map out each data touchpoints within the firm, such as where data is collected, created, used, stored, processed, etc.
  • Develop a strategy for handling documents, privacy inquiries, and complaints.
  • Create and manage a log that details where various types of data are stored within the firm. For example: Database locations, server locations, cloud-based data centers, folders shared amongst users, hardware drives, printed paper files, etc.
  • Ensure that all sensitive or confidential information is handled in a way that complies with privacy regulations in Canadian legislation. This includes communicating clearing with clients on what the information will be used for, how it will be processed, and where it will be stored. Consent, depending on the nature of the information, is usually required by law.

If a firm is only using email accounts or basic cloud storage services, there are many opportunities for privacy to be violated. Even with somewhat secure private email systems, there is still an opportunity for data and information exchanged between firms and clients for the purpose of obtaining documents or consent to be violated or exposed to potential hackers. Since we’re dealing with financials in the investment world, the results could be catastrophic. 

SideDrawer provides an all-in-one platform for information management, communications between firms and clients, and the exchange of sensitive documents with top-tier security measures that email simply can’t match.

Access Management


Access management is vital for investment and IIROC firms because it is the first line of defence against a data breach. This is because a user’s login credentials, which can be very vulnerable, are the focus of access management. A proper access management strategy is also necessary to limit the overall impact of breach as a result of compromised login credentials, be it accidental or very much intentional.


Investment firms must restrict access to data based on the Principle of Least Privilege (PoLP), a simple and very common framework for restricting or limiting user access to certain levels of information. To put it simply, access to technology and data within the firm should be limited only to those who are performing the task.

Recommended Control

Among investment firms, there are a number of controls recommended for preventing access abuse:

  • Build user hierarchies across the entirety of the firm.
  • Control who can access certain levels of information by applying privileges and monitoring user accounts on a regular basis.
  • Establish administrator accounts and keep those accounts as exclusive as possible.
  • Enforce strong password policies, such as generation complexity, a limit of login attempts, etc.
  • Regularly verify the authenticity of user logins.
  • Always encrypt data files that store new and old passwords.

Much of access management involves using the right technology to limit access to the firm’s system. SideDrawer’s entire framework is based on the highest level of security. With little more than a few clicks, SideDrawer users can determine who can create an account, how much information that account can access, and encrypt that account for the maximum level of security. Few financial management systems offer such a high level of security protocol, and SideDrawer makes the process of setting up an employee or client account as easy and secure as possible.

Data Loss Prevention 

Data loss prevention is a major issue for all firms, not just those in the realm of investment, finance, or IIROC. Data loss prevention is very important for ensuring that sensitive and private data are treated as secure 24/7. Such processes and strategies also help firms secure private data as efficiently as possible with minimal impact on time, costs, and resources. It’s also extremely important for firms to be compliance with privacy regulations and to limit the damage of a potential data breach for the integrity of their business and clientele.


Effective data loss prevention strategies are the key to identifying and securing essential and private information in the context of investment firms 

Recommended Control

The controls recommended for data loss prevention are limited but effective. 

  • Create policies that identify and organize essential data for backup, retention, and recovery.
  • Regularly track how data travels in and out of the firm.
  • Create a data retention strategy.
  • Train employees and clients on how to securely handle their confidential information.

So much of traditional data loss prevention comes down to monitoring where and how that information moves. SideDrawer’s framework makes the management and monitoring of information very simple through the use of automation.