The Canadian Investment Regulatory Organization’s (CIRO) data breach has triggered a predictable debate about who should pay for it. The answer is simple — CIRO members will pay because the industry pays for the cost of regulation. The real question is not who but how — and whether those costs are managed in a way that protects investors, respects CIRO’s public interest mandate and avoids unnecessary disruption to CIRO member firms.
Cybersecurity incidents are a recognized form of operational risk. Every organization, including regulators, maintains enterprise risk management frameworks designed to identify, mitigate and manage such risks. But cybersecurity risks cannot be eliminated entirely.
In a digital environment, data breaches have become an inherent cost of doing business. Even though they are infrequent and the associated costs can be significant, costs related to a cyber breach are still operating costs.
The op-ed — Who will pay for CIRO’s data breach? — provides speculative estimates of what the data breach might cost, drawing comparisons to high profile incidents at other financial institutions. These figures are, at best, educated guesses.
In any event, they are irrelevant. The financial impact of a cyber incident can vary widely depending on such things as the nature of the breach, the systems and data affected, the scope of insurance coverage and remediation strategies. What is relevant is how much the breach will actually cost CIRO. It is entirely appropriate for CIRO members to ask that question and for CIRO to answer it transparently, based on facts rather than conjecture.
These costs will not materialize all at once. In practice, these expenses are incurred over time, which allows CIRO the opportunity to assess actual impacts, access insurance coverage, project future expenditures and incorporate those costs into its operating reserve strategy and future budgets over multiple periods.
This is precisely why regulators maintain operating reserves — to absorb unexpected operational expenses. Treating speculative cost estimates as justification for immediately accessing externally restricted funds conflates uncertainty with urgency. CIRO has both the time and the financial tools to manage breach-related costs responsibly without compromising compliance with its recognition orders or public interest mandate.
It is also crucial that CIRO not attempt to offset cybersecurity costs by scaling back core regulatory activities. While CIRO should consider postponing non-essential or lower-priority initiatives — scaling back core regulatory functions will compromise investor protection and run counter to its regulatory mandate.
Recognition orders are clear
The op-ed suggests that CIRO should use its externally restricted fund — a $25-million pool dedicated to investor and public interest initiatives — to cover the costs of the data breach. Notably, it makes no mention of CIRO’s $106-million unrestricted fund, which functions as an operating reserve intended precisely for unplanned or unexpected operational expenses.
CIRO’s recognition orders expressly prohibit the use of externally restricted funds to pay for CIRO’s operational costs. Those funds are earmarked for public interest purposes, including initiatives to address emerging regulatory risks, investor education and research, whistleblower programs, support for non-profit investor protection organizations, investor-focused internal functions such as CIRO’s Investor Office or other public interest purposes subject to approval by the Canadian Securities Administrators (CSA). Using restricted funds to pay for a cybersecurity breach would require explicit CSA approval and a compelling case for why it is in the public interest.
The op-ed argues that using the restricted fund would be in the public interest because investors will ultimately bear the cost and because it is “unjust” for the industry to pay. That rationale misunderstands what the “public interest” means.
The public interest is about protecting investors, ensuring fair and efficient capital markets, maintaining market integrity, preventing systemic risk and fostering confidence in the financial system.
The claim that investors ultimately pay for regulatory costs is also only partly true. As the op-ed author knows from her time working at an industry trade association, while investors may indirectly pay for some regulatory costs, CIRO members earn revenue from a wide range of activities, not just from clients.
That means that CIRO members, not investors, would benefit the most from using the externally restricted funds. Framing this as an investor protection measure obscures who the real beneficiaries are.
And when it comes to the claim that it would be “unjust” to require the industry to bear these costs, as an investor advocate, it is hard to listen to industry complaints about fairness. Fairness claims from CIRO members ring hollow considering the recent CSA/CIRO report documenting widespread noncompliance with client-focused reforms — reforms expressly intended to ensure that CIRO members put their clients’ interests first.
Against that backdrop, the industry is not standing on particularly solid ground to argue that the best “public interest” use of the externally restricted funds is to pay for the data breach to reduce their fees. That said, it doesn’t mean CIRO members shouldn’t be upset. They should be. On this point, CIRO members and investors agree.
Accountability is key
The industry’s recourse is not to use funds for investor or public interest initiatives. It is to demand accountability. That means pressing CIRO to have stronger cybersecurity practices, demanding better oversight of CIRO by the CSA, and insisting any governance failures be addressed and those responsible be held accountable.
If CIRO, however, caves to industry pressure and asks the CSA to approve using externally restricted funds for the data breach, then the self-regulatory model must be reconsidered. An SRO that cannot protect funds dedicated for investor and public interest initiatives from such blatant industry self-interest needs to hand the keys back to the CSA — because at that point, it has ceased functioning in the public interest.