Regulators are demanding reforms from Quebec financial giant the Fédération des caisses Desjardins du Québec, following the largest ever privacy breach at a Canadian financial institution.

The Autorité des marchés financiers (AMF) issued an order requiring Desjardins to take a series of corrective measures and adopt robust internal controls “to effectively mitigate the risk of operational incidents, including those related to privacy, and to comply with its legal obligation to apply sound and prudent management practices.”

The order follows the AMF’s review of a security breach at the firm that was revealed in June 2019, which found that Desjardins “had failed to comply with its legal obligation to apply sound and prudent management practices, which increased the odds of such an incident occurring.”

The breach, which was carried out by a “malicious employee,” compromised the personal information of up to 9.7 million Canadians.

Among other things, the AMF said that, at the time of the incident, the firm had only partially adopted certain recommendations that were made as part of the AMF’s supervisory efforts, “contrary to what had been indicated in some of the progress reports provided by Desjardins Group.”

It also said the firm “failed in its obligation to apply sound and prudent management practices … despite the many related findings and recommendations that had been issued by the AMF and Desjardins Group’s internal auditors.”

The regulator said all of Desjardins’ three lines of defence — operational management, oversight functions and internal audit — had “significant deficiencies,” and that they failed to carefully coordinate their work to identify and address the full range of risks faced by the firm.

As a result, it concluded that members of the firm’s senior management, its board and some of its statutory committees “failed in their obligation to act with prudence and diligence” by not implementing adequate controls and not properly overseeing action on the recommendations from the AMF and its own internal auditors.

The AMF acknowledged that Desjardins has taken steps to beef up its cybersecurity and internal controls, but said that more needs to be done.

While the company’s voluntary efforts are an “undeniable improvement,” the AMF said “further measures are needed” to ensure that the firm fully meets its requirements and adopts best practices for systemically important financial institutions.

“Desjardins Group has therefore developed plans to strengthen its management and sound governance practices and properly manage information security and privacy risks,” the AMF said.

In a release, Desjardins said it has reviewed the orders from the AMF and the Commission d’accès à l’information du Québec, along with a report from the Office of the Privacy Commissioner of Canada (OPC), and that “over the last year it has developed strategies that are in line with their recommendations.”

“These strategies have already been implemented or are being implemented right now,” the firm said.

The OPC report, which was also released on Monday, concluded that the firm violated federal privacy legislation principles, and it also set out reform recommendations.

The AMF’s order was issued based on its powers under the province’s legislation governing financial cooperatives, which doesn’t allow for financial penalties to be imposed.

However, the regulator noted the legislation allows for a $10,000 penalty for each day of non-compliance.