The Investment Industry Regulatory Organization of Canada (IIROC) has extended its vigilance over the cybersecurity posture of its Dealer Members by introducing mandatory cyber breach reporting.
On November 14, 2019, IIROC released Rules Notice 19-0194 in which it advised that the Canadian Securities Administrators (CSA) had approved changes to IIROC’s Dealer Member Rules and Rule Book. The Notice “requires Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident” and "requires Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident."
The amendments took effect immediately upon release of the Notice. A companion Rules Notice Guidance Notice released the same day provides further details on the amendments, offers guidance as to the circumstances in which reporting will be necessary, and sets out the expected content of reports to be made within the 72-hour window. Each report must include, "at minimum":
- a description of the cybersecurity incident;
- the date the cybersecurity incident was discovered and the date or time period during which the cybersecurity incident occurred;
- a preliminary assessment of the cybersecurity incident, including the risk of harm to any person or impact on a Dealer's operations;
- a description of immediate incident response steps a Dealer has taken; and
- contact information for an individual who can answer follow-up questions.
The 30-day report that follows the initial notice must contain at least the following:
- a description of the cause of the cybersecurity incident;
- an assessment of the scope of the cybersecurity incident, including the number of persons harmed and the impact on a Dealer's operations, such as:
- the number of devices affected;
- the number of business days that a Dealer's operations were impacted;
- estimated costs to address the cybersecurity incident, including whether the Dealer has cybersecurity insurance and the amount of the deductible;
- what information on a Dealer's information system was affected and if it included client data;
- details of the steps a Dealer has taken to mitigate the risk of harm to persons and impact on a Dealer's operations, including whether a Dealer notified any other regulators or external parties;
- details of the steps a Dealer took to remediate any harm to any person, including whether a Dealer engaged any legal counsel; and
- actions a Dealer has taken to improve its cybersecurity incident preparedness.
The reporting obligations put into effect are different and separate from any reporting obligations Dealer Members may have to privacy regulators under applicable privacy laws, and the Guidance Notice recommends Dealer Members consult with external counsel to determine what actions that laws may require. Those versed in Canadian privacy law will recognize considerable overlap in the information required by IIROC and the content of reports required by privacy legislation governing commercial activity.
This new reporting obligation mirrors a similar one imposed by the Office of the Superintendent of Financial Institutions (OSFI) earlier in 2019. Last January, OSFI released an advisory which came into force March 31, 2019. The Advisory requires federally regulated financial institutions (FRFIs) to report to their Lead Supervisors at OSFI (not the Office of the Privacy Commissioner) technology or cyber security incidents (defined to include incidents that "have the potential to, or has been assessed to, materially impact the normal operations of an FRFI, including confidentiality, integrity or availability of its systems and information") where such incidents are deemed by the institution to "be of a high or critical severity level." The advisory sets out characteristics and examples of reportable incidents to assist institutions in determining whether incidents must be reported. Like IIROC's recent Rules amendments, the OSFI advisory requires that incidents be reported as quickly as possible but no later than 72 hours after an incident is determined to be reportable.
The 72-hour report deadlines imposed by both IIROC and OSFI are more specific and arguably shorter than those imposed under federal and provincial privacy statutes.
These new mandatory reporting regimes suggest regulators of the Canadian financial services sector are taking greater ownership of the problem that lax cybersecurity poses for industry players and the public. It will be interesting to see what the data generated by the new reporting requirements reveal about the cyber risk to and readiness of Canadian financial institutions.