New Reporting Requirements
On November 14, 2019, the Investment Industry Regulatory Organization of Canada (IIROC) amended its Dealer Member Rules (the Rules) to address reporting of cybersecurity incidents. The amendment, which takes effect immediately, requires all investment dealers regulated by IIROC to report all cybersecurity incidents.
The Rules define a “cybersecurity incident” as “any act to gain unauthorized access to, disrupt or misuse a Dealer Member’s information system, or information stored on such information system, that has resulted in, or has a reasonable likelihood of resulting in:
(i) substantial harm to any person
(ii) a material impact on any part of the normal operations of the Dealer Member,
(iii) invoking the Dealer Member’s business continuity plan or disaster recovery plan, or
(iv) the Dealer Member being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.”
IIROC acknowledged that it chose a definition broad and flexible enough to capture a wide variety of incidents and to be inclusive of business models.
The newly amended Rules stipulate that cybersecurity incidents must be reported to IIROC in two phases, as follows:
- The first phase mandates that following an incident, a report must be submitted within three days. The report must describe the incident, including the date of the incident, when it was discovered, a preliminary risk assessment, an outline of what steps have been taken and a contact for IIROC to follow up with.
- The second phase requires an incident investigation report to be submitted within 30 days. This report must provide a more detailed account assessing the cause and scope of the incident. It should include the steps taken to mitigate any risk of harm as well as remediate any harm done. Dealer Members should also include a description of how they will better prepare for a future incident.
The proposed amendments were first released in April 2018 for public consultation before approval by the Canadian Securities Administrators. As part of the public consultation, Dealer Members raised concerns that the reported information would be not kept confidential. IIROC has addressed this concern by ensuring Dealers that all reported incidents will only be shared “on an anonymous and high level basis” to spread awareness of known threats and keep other Dealers vigilant.
According to IIROC, the amendments are intended to respond to increasingly frequent and sophisticated cybersecurity attacks. IIROC expects that mandatory reporting will result in the following key benefits:
- enable IIROC to better support and advise dealers during a cybersecurity incident;
- spread awareness of known issues and potential risks in a timely manner to share best practices, mitigate harm, and better prepare other Dealers; and
- allow IIROC to gain more information for analysis, which in turn would improve preparedness, integrity and confidence in the industry.
The amendments are not surprising given the increased attention placed on cybersecurity over the past few years by IIROC, the Canadian Securities Administrators, the Mutual Fund Dealers Association, and other regulators and industry participants. For example, in a survey of investment firms conducted by IIROC in 2018, it was discovered that:
- an annual cybersecurity training had been implemented by 82% of investment firms surveyed, compared with 56% in 2016;
- cybersecurity response plans had been implemented by 72% of investment firms surveyed, compared with 53% in 2016; and
- as a precursor to entering into a contract with another party, 94% of investment firms surveyed are now evaluating cybersecurity risks, compared with 70% in 2016
As cybersecurity becomes an increasingly hot button topic, the implementation of mandatory reporting rules is IIROC’s next step in enforcing strong cybersecurity practices in the investment industry.
For those interested in learning more, IIROC has also released a notice answering Frequently Asked Questions on the amendments. IIROC’s previously published Cybersecurity Best Practices Guide and Cyber Incident Management Planning Guide provide additional guidance on the topic.