The Investment Industry Regulatory Organization of Canada (IIROC) on Thursday proposed rule amendments that would require mandatory reporting of cybersecurity incidents by investment dealers.
The proposals introduce the obligation to report cyber incidents to IIROC immediately, and to provide a more comprehensive report on the incident within 30 days.
They also spell out the information that dealers must provide in these reports.
IIROC is proposing the new requirements due to the increasing frequency and sophistication of cyber attacks, the regulator says in a notice, and the fact that information sharing is essential for mitigating cyber threats.
“We expect dealers will benefit from the prompt reporting of cybersecurity incidents,” the notice says.
“When IIROC receives notice of an incident it can move quickly to assist the affected dealer(s) and, when necessary, inform other dealers of current cyber threats, thereby helping to manage the impact on dealers as well as investors,” it continues.
The proposals are out for comment until May 22. In the meantime, IIROC is asking dealers to voluntarily report breaches.