IIROC requires mandatory reporting of cybersecurity incidents at firms


TORONTO — The Investment Industry Regulatory Organization of Canada is now requiring the mandatory reporting of any cybersecurity incidents that occur at the investment firms it regulates.

Under the new rules, firms have to report to the industry regulator any cybersecurity incidents in two stages.

In the first stage, firms have three days to provide a preliminary description of the incident and steps taken.

The second stage allows firms 30 days to provide a detailed investigation report, outlining the cause and scope of the issue, and steps taken to mitigate the risk of harm to investors and to the firm.

IIROC says the mandatory reporting will allow it to analyze the information received for any trends, insights or intelligence and help improve the industry’s cybersecurity preparedness.

IIROC is the self-regulatory organization that oversees investment dealers and their trading activity in Canada’s debt and equity markets.

Earlier this week, the Bank of Canada’s chief operating officer said government bodies and the private sector need more ways to share information about cybersecurity threats.