Advisor exams uncover cybersecurity deficiencies: NASAA

Investment dealers must now report cybersecurity breaches to regulators within three days, under new requirements designed to enhance the investment industry’s cyber defences.

The Investment Industry Regulatory Organization of Canada (IIROC) has adopted rule changes that introduce mandatory cybersecurity reporting requirements for all IIROC-regulated firms.

Effective immediately, firms must report cybersecurity incidents within three days and provide the regulator with a detailed incident report within 30 days.

In a notice detailing the new requirements, IIROC noted that “cyber risks have continued to evolve and present a more urgent threat of harm to investors, market participants and dealers.”

At the same time, it said that “dealers are increasing their collection of data and reliance on complex information systems. This development highlights the importance of timely information sharing to mitigate cyber risk.”

The self-regulatory organization said that the new reporting requirements will enable it to “better support firms experiencing an incident and to alert other firms to known issues and potential risks.”

IIROC first proposed mandatory reporting in April 2018, and has since revised its initial proposal to clarify the differences between the two required reports (within three and 30 days) and to provide assurance that information about cyber incidents will be shared anonymously.

“Mandatory reporting of cybersecurity incidents will allow IIROC to analyze the information received for any trends, insights or intelligence,” said Irene Winel, senior vice president, member regulation and strategy, at IIROC.

“This reporting will help us to improve the industry’s cybersecurity preparedness and protect the integrity of Canada’s capital markets, thereby contributing to investors’ confidence in the industry,” she said.