Canada: IIROC Adopts Rules Regarding Mandatory Reporting Of Cybersecurity Incidents

In November 2019, the Investment Industry Regulatory Organization of Canada (IIROC) announced amendments to its Dealer Member Rules and IIROC Dealer Member Plain Language Rule Book to require that dealers report any cybersecurity incidents to IIROC within three days of discovery.

Under the amendments, a “cybersecurity incident” is defined to include “any act to gain unauthorized access to, disrupt or misuse a Dealer Member’s information system, or information stored on such information system, that has resulted in, or has a reasonable likelihood of resulting in:

  1. substantial harm to any person,
  2. a material impact on any part of the normal operations of the Dealer Member,
  3. invoking the Dealer Member’s business continuity plan or disaster recovery plan, or
  4. the Dealer Member being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.

The amendments require that the report to IIROC include such information as the date and description of the cybersecurity incident, as well as a preliminary assessment of the risk of harm. Further, within 30 days of the incident, dealers must provide IIROC with a follow-up report that includes information such as an assessment of the scope of the incident, details of the steps taken to remediate any harm, and actions planned to improve cybersecurity preparedness.

The amendments went into effect on November 14, 2019. For more information, see IIROC Notice 19-0194.