Reporting Cybersecurity Incidents to IIROC

Dealers may soon have to report cybersecurity incidents to IIROC under rule changes proposed on April 5.¹ Consistent with a heightened global focus on cybersecurity due to the increasing frequency and sophistication of cyber attacks, IIROC believes that information sharing is critical for mitigating cybersecurity risks and promoting the stability of the capital markets. Comments on the proposed rules are due by May 22.

Cybersecurity Incident Reporting

The rule changes would require dealers to submit two reports to IIROC.

1. A preliminary report within three days of discovering a cybersecurity incident.

This would describe the incident, provide a preliminary assessment of the risk of harm or inconvenience and the impact on the dealer's operations, and explain the immediate mitigating steps that the dealer has taken.

2. An incident investigation report submitted within 30 days of a cybersecurity incident, unless otherwise agreed to by IIROC.

This more comprehensive report would include

• the cause of the cybersecurity incident;
• an assessment of its scope, including the number of persons harmed or inconvenienced and the impact on the dealer's operations;
• the mitigating and remediating steps taken by the dealer; and
• actions taken or to be taken by the dealer to improve its cybersecurity incident preparedness.

What is a "Cybersecurity Incident"?

IIROC's rules would define a "cybersecurity incident" as any act to gain unauthorized access to, disrupt or misuse a dealer's information system, or information stored there, that has resulted in, or has a reasonable likelihood of resulting in

• substantial harm or inconvenience to any person;
• a material impact on the normal operations of the dealer;
• invoking the dealer's business continuity plan or disaster recovery plan; or
• the dealer being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.

IIROC stated that its proposed rules are consistent with similar provisions in federal and provincial privacy legislation. However, the three-day reporting deadline is quicker than required by other regulations. In the face of uncertainty about the nature and impact of a cybersecurity incident, dealers may need to exercise judgment to determine the point in time at which the three-day reporting window is triggered.

IIROC Request for Voluntary Reports in the Interim

Currently, IIROC imposes no mandatory reporting requirements related to cybersecurity incidents. However, IIROC's Cybersecurity Best Practices Guide² recommends timely incident reporting as part of firms' cybersecurity policies, and some dealers have voluntarily reported cybersecurity incidents to IIROC—which was requested in Technical Notice 18-0063,³ published by IIROC on March 22. IIROC asks dealers to continue to voluntarily report any cybersecurity incidents as part of their management of cyber risks during the rulemaking process for the new requirements.

_________________________

¹ See http://www.iiroc.ca/Documents/2018/d2bca7f7-f219-4b80-905f-d030f505e29d_en.pdf.

² See http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf.

³ See http://www.iiroc.ca/Documents/2018/3b7be3c5-962f-492f-96bd-57e0bcf075af_en.pdf.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.