The Investment Industry Regulatory Organization of Canada (IIROC) has amended its Dealer Member Rules to require mandatory reporting by dealer members (Dealers) in the event of a cybersecurity incident. The amendments are accompanied by guidance on the new requirements.
IIROC expects dealers to issue an initial report within three days of discovery of an incident, and to submit a detailed incident investigation report within 30 days of the incident.
In light of IIROC’s mission to protect investors, strengthen market integrity and support healthy Canadian capital markets, the IIROC reporting requirements are broader than the mandatory reporting requirements under the federal Privacy Information Protection and Electronic Documents Act (PIPEDA) and provincial requirements under Alberta’s Personal Information Protection Act, which also apply to Dealers.
WHAT TRIGGERS THE NEED TO REPORT TO IIROC?
Dealers must report any act aimed to disrupt, misuse or gain unauthorized access to a Dealer’s information system, or information stored on such information system that has resulted in, or has a reasonable likelihood of resulting in:
- Substantial harm to any person
- A material impact on any part of the normal operations of the Dealer
- The invocation of the Dealer’s business continuity plan or disaster recovery plan
- The Dealer being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.
IIROC has stated that the definition is intended to be flexible to accommodate the evolving nature of incidents. The definition carries elements of what would be reportable under PIPEDA while also focusing on the Dealer’s ability to meet obligations to clients and the capital markets more generally, consistent with IIROC’s mandate.
Whether an incident has a reasonable likelihood of resulting in any of the outcomes listed above is a matter of judgment. IIROC’s guidance indicates that the probability of “substantial harm to any person” may include harm to a non-individual client and may relate to more than just the misuse of personal information. Determining whether an incident is material is to take place based on the size and business model of a given Dealer.
Notably, incidents that take place at a Dealer service provider may need to be reported. IIROC’s guidance is explicit that a Dealer’s “information system” includes elements that may be supplied by third-party service providers, although to be reportable, the other elements of the definition of “cybersecurity incident” must be present.
WHEN AND WHAT ARE DEALERS TO REPORT TO IIROC?
Within three days of determining that a cybersecurity incident took place, a Dealer must, at a minimum report the following:
- A description of the cybersecurity incident
- The date the cybersecurity incident was discovered and the date or time period during which the cybersecurity incident occurred
- A preliminary assessment of the cybersecurity incident, including the risk of harm to any person or impact on a Dealer’s operations
- A description of immediate incident response steps a Dealer has taken
- Contact information for an individual who can answer follow-up questions
- Any additional information the Dealer may have.
The preliminary assessment of the cybersecurity incident is not meant to reflect material insights regarding assessment or remediation measures undertaken. IIROC’s guidance acknowledges that Dealers may not have a complete analysis after only three days. Dealers must submit the best information available at the time of reporting.
Within 30 days of discovering a cybersecurity incident, a more detailed report is required, which fully investigates the nature, extent, scope, impact and root cause of the incident. At minimum, the 30-day report must include:
- A description of the cybersecurity incident
- An assessment of the scope of the cybersecurity incident, including the number of persons harmed and the impact on the Dealer’s operations, such as:
- The number of devices affected
- The number of business days that a Dealer’s operations were impacted
- Estimated costs to address the cybersecurity incident, including whether the Dealer has cybersecurity insurance and the amount of the deductible
- What information on the Dealer’s information system was affected and if it included client data.
- Details of the steps the Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer’s operations, including if the Dealer notified any other regulators or external parties
- Details of the steps the Dealer took to remediate any harm to any person, including if the Dealer engaged any legal counsel, and actions the Dealer has taken to improve its cybersecurity incident preparedness.
A 30-day report is not always required. If the Dealer concludes that no cybersecurity incident occurred as defined in the IIROC Rules, despite an initial three-day report, a subsequent report need not be made. Also, Dealers may request more time to submit the 30-day report by notifying their IIROC relationship manager. IIROC acknowledges that, depending on the severity and complexity of an incident, an investigation may extend well beyond 30 days.
HOW EXTERNAL BREACH COUNSEL CAN HELP DEALERS MEET IIROC’S REPORTING REQUIREMENTS
IIROC strongly recommends that Dealers consult with external legal counsel and cybersecurity professionals to assess the extent of a cybersecurity incident and whether any action taken complies with applicable laws, including privacy laws. External breach counsel can also provide support to senior management who are required to attend a meeting with IIROC officials following the preliminary three-day report. Further, breach counsel can help streamline and coordinate responses to IIROC, the Office of the Privacy Commissioner and the Office of the Superintendent of Financial Institutions, if necessary.