IIROC Imposes Mandatory Reporting of Cybersecurity Incidents for Regulated Investment Firms
On November 14, 2019, the Investment Industry Regulatory Organization of Canada (IIROC) – the national self-regulatory organization that oversees investment dealers and their trading activity in Canadian markets – published a notice of amendments to its Rule 3100 and Rule 3703 to require mandatory reporting of cybersecurity incidents by IIROC-regulated investment firms. The amended rules, which came into effect immediately on publication of the notice, require firms to provide IIROC with an initial report within three days after of discovering a reportable cybersecurity incident and a comprehensive investigation report within 30 days after of discovering the incident.
Read our bulletin on this topic.
This content has been updated on November 18, 2019 at 16 h 35 min.