The Investment Industry Regulatory Organization of Canada (IIROC) has extended its vigilance over the cybersecurity posture of its Dealer Members by introducing mandatory cyber breach reporting.

On November 14, 2019, IIROC released Rules Notice 19-0194[1] in which it advised that the Canadian Securities Administrators (CSA) had approved of changes to IIROC's Deal Member Rules and Rule Book that "require Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident" and "require Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident."

The amendments took effect immediately upon release of the Notice. A companion Rules Notice Guidance Notice released the same day[2] provides further details on the amendments, offering guidance as to the circumstances in which reporting will be necessary, and sets out the expected content of reports to be made within the 72-hour window. Each report must include, "at minimum":

  • a description of the cybersecurity incident ;
  • the date the cybersecurity incident was discovered and the date or time period during which the cybersecurity incident occurred;
  • a preliminary assessment of the cybersecurity incident, including the risk of harm to any person or impact on a Dealer's operations;
  • a description of immediate incident response steps a Dealer has taken; and
  • contact information for an individual who can answer follow-up questions.

The 30-day report that follows the initial notice must contain at least the following:

  • description of the cause of the cybersecurity incident,
  • an assessment of the scope of the cybersecurity incident, including the number of persons harmed and the impact on a Dealer's operations, such as:
    • the number of devices affected;
    • the number of business days that a Dealer's operations were impacted;
    • estimated costs to address the cybersecurity incident, including whether the Dealer has cybersecurity insurance and the amount of the deductible;
    • what information on a Dealer's information system was affected and if it included client data;
  • details of the steps a Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer's operations, including if a Dealer notified any other regulators or external parties;
  • details of the steps a Dealer took to remediate any harm to any person, including if a Dealer engaged any legal counsel; and
  • actions a Dealer has taken to improve its cybersecurity incident preparedness.

The reporting obligations these amendments put into effect are different and separate from any reporting obligations Dealer Members may have to privacy regulators under applicable privacy laws, and the Guidance Notice recommends Dealer Members consult with external counsel to determine what actions such laws may require. Those versed in Canadian privacy law will recognize considerable overlap in the information required by IIROC and the content of reports required by privacy legislation governing commercial activity.

This new reporting obligation mirrors a similar one imposed by the Office of the Superintendent of Financial Institutions (OSFI) earlier this year. In January, OSFI released an advisory[3] (which came into force March 31, 2019). The Advisory establishes a mandatory reporting requirement (to OSFI, not to the OPC) for federally regulated financial institutions that requires them to report technology or cyber security incidents (defined to include incidents that "have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information") to their Lead Supervisors where such incidents are deemed by the institution to "be of a high or critical severity level."[4] The advisory sets out characteristics and examples of reportable incidents to assist institutions in determining whether incidents must be reported. Like IIROC's recent Rules amendments, the OSFI advisory requires incidents be reported as quickly as possible but no later than 72 hours after an incident is determined to be reportable.

The 72 hour report deadlines imposed by both IIROC and OSFI are more specific than those imposed under federal and provincial privacy statutes.

These new mandatory reporting regimes suggest regulators of the Canadian financial services sector are taking greater ownership of the problem lax cybersecurity poses for industry players and the public. It will be interesting to see what the data generated by the new reporting requirement reveals about the cyber readiness of and risk to Canadian financial institutions.