On November 14, the Investment Industry Regulatory Organization of Canada (IIROC) announced that the Canadian Securities Administrators (CSA) had approved amendments to IIROC’s rules to require mandatory reporting of cybersecurity incidents by its dealer members. Although the amendments apply only to IIROC member firms, we think other registrants should take note of this regulatory trend.

You might wish to read IIROC’s notice in conjunction with the guidance published by the Canadian Securities Administrators in Staff Notice 33-321 Cybersecurity and Social Media, which we wrote about in our October 2017 bulletin, and the Cyber Security Incident Reporting Guidelines released by the Office of the Superintendent of Financial Institutions, which we wrote about in March 2019. Regulators are taking very seriously the increasing sophistication, frequency and persistence of cybersecurity threats, and we wouldn’t be surprised to see the CSA incorporate elements of IIROC’s incident reporting regime into the Canadian securities regulatory framework soon.