In November 2019, the Investment Industry Regulatory Organization of Canada (“IIROC”) released new mandatory reporting requirements for cybersecurity incidents, per IIROC Notice 19-0194.
What are the new requirements?
The Canadian Securities Administrators (“CSA”) approved amendments to the Dealer Member Rules and the IIROC Dealer Member Plain Language Rule Book (the “Amendments”), which result in an obligation for IIROC Dealer Members (“Dealer Members”) to submit two specific reports to IIROC after a cybersecurity incident:
- Dealer Members are first required to report to IIROC any cybersecurity incidents within three days of discovery of the incident. This report must include:
i) a description of the incident, ii) the date or time period, iii) a preliminary risk assessment, iv) a description of immediate response steps taken, and v) the name of an individual that can answer follow-up questions.
Dealer Members are also required to provide IIROC with a more detailed incident investigation report within 30 days of discovery of the cybersecurity incident. This report must include:
i) a description of the cause of the cybersecurity incident, ii) an assessment of scope of the cybersecurity incident, iii) details of steps taken to mitigate the risk of harm, iv) details of steps taken to remediate any harm, and v) details of actions the Dealer Member has or will take to improve its future preparedness for cybersecurity incidents.
What counts as a “Cybersecurity Incident”?
Under the Amendments the definition of “cybersecurity incident” is quite broad, and includes any act to gain unauthorized access to, disrupt or misuse a Dealer Member’s information system, or information stored on such information system, that has resulted in, or has a reasonable likelihood of resulting in:
- substantial harm to any person,
- a material impact on any part of the normal operations of the Dealer Member,
- invoking the Dealer Member’s business continuity plan or disaster recovery plan, or
- the Dealer Member being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.
IIROC has intentionally “drafted the definition of cybersecurity incident in a flexible manner to accommodate the evolving nature and of cybersecurity threats”.
How does this interact with already-existing PIPEDA and Office of the Superintendent of Financial Institutions (“OSFI”) requirements?
IIROC has aligned these requirements with PIPEDA and OFSI as much as is “reasonably possible”, but the Amendments’ requirements are generally broader. First, any event that is reportable under other legal regimes is automatically reportable to IIROC under the Amendments. Further, as compared to mandatory breach reporting under Canadian privacy laws (including PIPEDA), the Amendments cover a broader range of conduct. While privacy laws are focused specifically on the protection of personal information and harm to the individual, the Amendments require broader reporting of breaches that have a reasonable likelihood of resulting in substantial harm to any person, including a non-individual.
What will IIROC do with this information?
IIROC plans to use these reports to share general cybersecurity incident information and the specific nature and risk of certain incidents with the Dealer Member community. IIROC specifically notes that it will not disclose the names of the Dealer Members that have reported cybersecurity incidents to other Dealer Members or the public, and that it will anonymize any information.
How do these Amendments interact with the draft NI 21-101 amendments proposed earlier this year?
In April of this year, the CSA proposed amendments to National Instrument 21-101, which expanded the obligation for certain marketplaces to report a material security incident to the appropriate securities regulatory authority. Marketplaces, who are also Dealer Members, will be required to comply with both regimes. The scope of a “security incident” under NI 21-101 is not identical to the scope of a “cybersecurity incident” under the Amendments, but we note that any security incident that is reportable to an applicable securities regulatory authority under NI 21-101 will automatically be reportable to IIROC under the Amendments.
Dealer Members must be aware of the increased reporting obligations that the Amendments impose on them. It is insufficient for Dealer Members to rely on reports submitted under privacy laws and OSFI’s requirements: these reporting requirements do not capture all relevant Dealer Members, nor do they capture all cybersecurity incidents that are reportable under the Amendments.