In an effort to further strengthen and support investment dealers in the management of cyber risks, the Investment Industry Regulatory Organization of Canada (IIROC) says it will soon publish for comment proposed amendments to its rules requiring mandatory reporting of certain cybersecurity incidents.
Prompt reporting will enable IIROC to help both the affected firm, and the rest of the industry, guard against attacks, the self-regulatory organization says in a notice.
Reporting will also allow IIROC to collect data that enables it to evaluate trends on cybersecurity.
“Cyber attacks have been increasing in number and sophistication. In particular, there is a general increase in ransomware attacks, likely due to the ‘commoditization’ of tools making it easier for less sophisticated attackers to use them,” the notice says.
“Active management of cyber risk is critical to the stability of IIROC [dealers], the integrity of capital markets and the protection of investors,” it continues.
While IIROC works on the amendments, it asks dealers to voluntarily report cybersecurity incidents to it.