IIROC Imposes Mandatory Reporting of Cybersecurity Incidents for Regulated Investment Firms

On November 14, 2019, the Investment Industry Regulatory Organization of Canada (IIROC) – the national self-regulatory organization that oversees investment dealers and their trading activity in Canadian markets – published a notice of amendments to its Rule 3100 and Rule 3703 to require mandatory reporting of cybersecurity incidents by IIROC-regulated investment firms. The amended rules, which came into effect immediately on publication of the notice, require firms to provide IIROC with an initial report within three days after of discovering a reportable cybersecurity incident and a comprehensive investigation report within 30 days after of discovering the incident.

This content has been updated on May 2, 2024 at 16 h 22 min.