Information Barrier / Firewall: How to Control Confidential and MNPI in Your Firm

Introduction — Hook + Friendly definition

You work in a firm that handles sensitive deal information. One misplaced email, an untimely conversation or an employee move can expose confidential details and trigger insider-trading risk. An information barrier / firewall is the practical way firms stop those risks in their tracks.

Information barrier / Firewall: "Policies, procedures and structural or technical measures designed to prevent unauthorized internal flows of confidential or material non‑public information."

This article explains the purpose and methods of controlling information so you can recognise layered containment programs, apply grey and restricted list rules, and understand how governance, people, physical and technical controls must work together to satisfy regulators like CIRO and provincial securities authorities.

Core Concepts (Recall)

• Layered containment is essential: governance, people/process, physical, technical and recordkeeping/supervision.
• Grey list (watch list) vs restricted list — different purpose: grey = monitoring; restricted = trading prohibition.
• Maintain contemporaneous, auditable records for list entries, removals, "brought over the wall" events, training and investigations.
• Controls combine preventive, detective and corrective measures and must be periodically tested and aligned with cybersecurity baselines (e.g., ITSG-33 Annex 3A).
• Scale controls to firm size: manual logs and supervision for smaller advisers; automated RBAC, DLP and integrated surveillance for large dealers.

Detailed Analysis (Understand the "Why" and "How")

Why control information? Because material non-public information (MNPI) can enable insider trading and conflicts, harm clients and damage a firm's reputation. Firms must ensure MNPI known to one part of a firm does not "contaminate" other parts where trading or advice occurs.

How a robust containment program is built:

• Governance oversight: Board or senior management responsibility, clear policies, documented escalation paths and predefined adjudication processes.
• People & process measures: segregated reporting lines, role boundaries, confidentiality undertakings, mandatory training, trade preclearance, documented "brought over the wall" procedures and cooling-off periods.
• Physical controls: separate offices/floors for sensitive teams, secure meeting rooms, locked hardcopy storage and visitor logs.
• Technical controls: least‑privilege role‑based access (RBAC), segmented IT environments, encrypted data rooms, data-loss prevention (DLP) tools and privileged-access logging.
• Recordkeeping & supervision: contemporaneous records (access logs, distribution lists, timestamped authorisations) and integrated surveillance to make controls auditable for regulators.

Regulatory expectations (CIRO, OSC, CSA) are clear: firewalls reduce but do not eliminate risk. Controls must be layered, documented, tested and remediated promptly when gaps appear. Technical measures must integrate with broader IT risk management frameworks (refer to ITSG-33 Annex 3A for security control alignment).

Definitions you must know (exact terms used in guidance):

• "Grey list (Watch list) | A confidential list of issuers for which the firm has, or reasonably expects to have, confidential information used primarily to intensify surveillance."
• "Restricted list | A list of issuers where a current firm engagement creates operational prohibitions or restrictions on trading until the MNPI risk ends."
• "Brought over the wall | The documented process and controls applied when an employee with prior access to MNPI moves into a previously insulated role."
• "Material non-public information (MNPI) | Information not generally available to the public that a reasonable investor would consider important in making an investment decision."
• "Least privilege | Security principle granting individuals only the access necessary to perform their job."
• "Adjudication process | A predefined internal procedure for reviewing and granting or denying exceptions to trading prohibitions or containment measures."

Practical Application — Real-world scenarios for professionals

1. Takeover advisory team: Place the deal team in a secure, named data room, block distribution lists from crossing business units and prohibit the deal team from engaging with sales or research until public disclosure. Result: MNPI is contained and trading desks are insulated.

2. Early due diligence (grey list): Add the issuer to the grey list, increase surveillance intensity and record reason + expected duration. If unusual pre-announcement volume is detected, freeze implicated accounts pending investigation.

3. Employee move ("brought over the wall"): Document who moved, when and what MNPI was involved; apply temporary trading restrictions or supervision, define the cooling‑off period, obtain clearances and retain all records of decisions and exceptions.

4. Suspected pre-announcement trading spike: Automatically preserve logs and records, temporarily suspend implicated trading, lock relevant files, conduct a rapid forensic review, escalate to senior management and notify regulators if required.

Practical tip: Document every step. When adding to grey/restricted lists, record the supporting facts, authoriser, timestamp, distribution controls and review date. Integrate list entries with trade surveillance in real time so lists function as containment tools, not informal notes.

Key Takeaways

• An information barrier / firewall is a layered program of governance, people/process, physical and technical controls with auditable recordkeeping.
• Grey lists intensify surveillance; restricted lists create trading prohibitions — don’t confuse them.
• Preventive, detective and corrective controls must be tested, documented and scaled to your firm’s size.
• Maintain contemporaneous records (list entries, removals, brought-over-the-wall events, training and investigations) to satisfy CIRO, OSC and other regulatory reviews.

Get this right and you reduce insider-trading risk, protect clients and demonstrate to regulators that your controls actually work.