Regulator announces mandatory reporting of cybersecurity incidents

By The IJ Staff | November 15 2019 12:06PM

Photo: Photo: Freepik

Effective immediately, all Investment Industry Regulatory Organization of Canada (IIROC) regulated firms are required to report cybersecurity incidents that they have encountered in two stages.

“Within three days, firms must provide a preliminary description of the incident and steps taken,” said the regulator in a statement issued Nov. 14. “Within 30 days, firms must provide a detailed investigation report, outlining the cause and scope of the issue, and steps taken to mitigate the risk of harm to investors and to the firm.”

IIROC first published these amendments to its rules as a request for comment in April 2018. Following a public consultation period, they were approved by the Canadian Securities Administrators.

Will improve cybersecurity preparedness

"Mandatory reporting of cybersecurity incidents will allow IIROC to analyze the information received for any trends, insights or intelligence," says Irene Winel, IIROC’s senior vice-president, member regulation and strategy. "This reporting will help us to improve the industry's cybersecurity preparedness and protect the integrity of Canada's capital markets, thereby contributing to investors' confidence in the industry."

Related to the same topic …