In its 2026 compliance report on Tuesday, the Canadian Investment Regulatory Organization (CIRO) reminded dealers about the importance of cybersecurity training, establishing detailed policies related to the client-focused reforms, and complying with registration requirements.
The annual compliance report helps dealers comply with their regulatory requirements as they establish policies and procedures for their particular business models.
This year’s report addresses, among other items, the management of emerging technology risks, including cybersecurity and AI.
“Cybersecurity continues to be a key business risk for all dealers” due to its potential impact on operations, the report says, noting CIRO’s cybersecurity breach last August.
In 2026, the regulator will conduct a cybersecurity table-top exercise, similar to previous years, to help firms “identify emerging cyber and operational risks, learn best practices for managing evolving threats, and incorporate lessons learned from CIRO’s own recent incident,” the report says.
The report emphasizes the need for continuous cybersecurity training for staff.
“While many dealers have implemented effective preventative and detective measures, inadequate training can make staff the weakest link in cybersecurity defence,” the report says. “We have seen instances where employees have fallen victim to phishing attempts, allowing unauthorized access to dealer systems.”
CIRO’s cyberbreach was the result of staff falling prey to phishing.
“Continuous training for all staff is highly recommended to enhance awareness and reduce vulnerability to these attacks, with the implementation of multi-factor authentication as a second layer of protection,” the report says.
To the extent that dealers use AI in their operations, CIRO will be reviewing the associated operational controls related to that use, as part of the regulator’s financial and operations compliance exams, the report says.
Related to conduct and supervision, the report encourages dealers to review the findings of the recent client-focused reforms (CFRs) sweep, related to know your client, know your product and suitability. The “most common deficiency identified” was a failure to have policies and procedures that are tailored to the firm’s business model and that are “detailed and actionable,” the report says.
“Policies and procedures that simply reiterate the principles-based rules, without providing any additional detail regarding specific processes the firm has implemented, are inadequate,” the report says. CIRO is developing additional guidance regarding CFR deficiencies, it says.
The report also summarizes observations from recent compliance exams that may impact the effectiveness of dealers’ compliance systems. These include gaps in supervisory practices, such as inadequate review of outside activities and the assessment of those activities for potential conflicts, as well as insufficient identification of client communications through non-approved channels.
“Dealers should implement a robust process for reviewing outside business activities, including assessing them for potential conflicts of interest,” the report says. “They should enforce strict controls over approved communication channels and deploy monitoring tools to detect any use of non-approved platforms.”
Gaps were also found in identifying and managing conflicts. For example, conflicts may have been reviewed in dealers’ internal registries but adequate disclosure to clients wasn’t provided.
Dealers should “maintain written procedures for identifying, addressing and disclosing conflicts of interest, ensuring that these policies remain current and accurately reflect the dealer’s business practices and operational realities,” the report says.
Among the regulator’s reminders related to registration, the report noted common deficiencies in filing, such as registrants filing incorrect information in the “legal name” field of Form 33-109F4.
“Filing incorrect information in this field (e.g., short forms and anglicized names) will result in [registration] delays, as new background checks may need to be conducted,” the report says.
The report also noted that the regulator continues to work toward a harmonized program for continuing education (CE). “Over the course of the next few months, we will publish our proposed phase 2 amendments” for CE harmonization, the report says.