The August 2025 cybersecurity breach of data held by the Canadian Investment Regulatory Organization (CIRO) has created a multi-million-dollar dilemma. While CIRO acted quickly to contain the phishing attack, the sheer volume of data exposed — much of which should have been destroyed or anonymized years ago — has compromised the personal identifiers of 750,000 financial consumers, advisors, employees, retirees and others. The cost of forensic audits, legal fees, credit monitoring and IT upgrades are mounting.
Current estimates for bringing IT infrastructure to code, plus breach-related expenses — the response to date plus future legal ramifications from class-action lawsuits — are around $100 million. (The Desjardins data breach affected 9.7 million clients and cost $300 million.)
While CIRO may recoup $20–$50 million from its errors and omissions and cybersecurity insurance, a big funding gap will remain.
Who should pay?
Fingers point to CIRO and CIRO’s board, the Canadian Securities Administrators (CSA) under whose aegis CIRO operates and provincial finance ministries that oversee securities commissions. Some also argue that the industry itself should shoulder the burden.
However, the industry is already paying for the breach.
First, dealers don’t know who is affected and must spend unbilled hours addressing the concerns of clients who may or may not have been affected. As well, it’s the advisor — not the regulator — who stands to lose client relationships.
Second, additional data protection regulation that will impact dealers is expected, with implementation and ongoing costs still a major unknown.
And third, as a not-for-profit, CIRO’s operating costs are already funded by those it regulates — mainly dealers and advisors. So they will already be paying for increased operating costs arising from CIRO upgrading its cybersecurity IT infrastructure and higher insurance premiums.
The punitive trickle-down
CIRO’s own communications have been very clear: receiving a data breach letter “does not mean that CIRO had concerns with you, your dealer or any of your advisors.”
Nevertheless, forcing the massive costs of this breach — from immediate response to potential lawsuit settlements — onto firms and advisors will inevitably cause collateral damage for the industry and public.
As these expenses trickle down, they will manifest as increased fees or reduced services for the very clients the regulator is meant to protect.
To penalize compliant dealers for a failure by the institution that sets the standards for conduct — and wields the threat of audit over them — is fundamentally unjust. To then ask retail investors to pay more for financial advice to cover a data breach that already victimized them is a mockery of the regulatory process. It is not just a financial misstep; it would be a direct breach of the regulator’s public-interest mandate.
CIRO’s Restricted Fund
There is a solution on CIRO’s balance sheet: the Restricted Fund. Currently totalling approximately $25 million, with $10 million added annually, this fund is comprised of fines and settlements paid by rule-breakers. By law, its use is restricted to spending on “public interest” purposes: investor education, whistleblower programs, regulatory infrastructure and emerging regulatory issues that present significant unusual risks.
A systemic data breach affecting 750,000 people — stemming from regulator-mandated data collection — falls squarely under the heading of a high-risk infrastructure issue.
Using the fund to cover breach-related costs is the only way to achieve systemic fairness. It ensures that the financial well-being of compliant firms and advisors is not threatened by further data-breach-related fee hikes.
It is far simpler to draw from a fund built on the penalties of rule-breakers than to tax the compliant majority for a failure outside their control. With the addition of CIRO’s cybersecurity insurance, the fund’s current balance should cover known response costs, while insurance payouts and future penalties should be earmarked for class-action awards.
“We are intent on doing right by those who are personally affected,” said CIRO president and CEO Andrew Kriegler in a January media release. This commitment must include shielding investors from years of asset monitoring costs as well as ensuring advisors and dealers aren’t further penalized for the regulator’s mistake. CIRO leadership should seek immediate approval from the CSA to use the Restricted Fund for the public-interest purpose of absorbing this financial blow.
The CSA, for its part, should immediately approve using the Restricted Fund to cover these expenses. Doing so would help restore faith and confidence in a regulatory system currently strained by breach-related transparency concerns, response delays and inadequate post-breach protection.
CIRO and the CSA — both with duties to investors and market participants — should not allow a public-interest fund to sit idle while the public is forced to pay for a regulatory lapse. They should approve using the penalties of the few to protect the security of the many. Further delays in announcing a real solution will only add to uncertainty; and uncertainty would mean higher costs still.
Barb Amsden is a consumer advocate, author and founder of Executor Advocacy Canada (formerly AfterMatters).