Cybersecurity & Technology

“Active management of cyber risk is critical to the stability of CIRO-regulated firms, the integrity of Canadian capital markets and the protection of investors.” Andrew Krieger, President and CEO, CIRO

Cybersecurity Summary

Cybersecurity is a key issue for Dealers and CIRO. Cybersecurity has been an important priority for CIRO for the last few years.

CIRO is committed to helping firms strengthen risk management practices and increase cybersecurity preparedness. CIRO’s initiatives include self-assessment surveys, consultations with cybersecurity professionals, and table-top exercises. We also provide educational resources such as best practice guides and webinars to help Dealers plan and implement effective risk controls and response plans for cyber threats and attacks.

What's new?

  • CIRO conducted two cybersecurity table-top exercises in 2023 for small and medium-sized CIRO member firms. Refer to the Notice for details.
  • We have prepared a Ransomware Response Playbook (PDF) that can be used as a guide when dealing with ransomware incidents.
  • We have developed a cybersecurity self-assessment tool for Investment Dealer firms that are mainly small and medium-sized. The purpose of tool is to help Investment Dealer firms identify areas of strength and weakness based on the information security practices. Members can request a copy of the tool and find a short instructional video in this Notice. (July 21, 2022)
  • We published Fundamentals of Technology Risk Management (PDF) to help mainly small and medium-sized Investment Dealer firms take the first steps towards assessing and managing technology risk. This guide provides some helpful information to Investment Dealer firms on how to begin building a technology risk management program. (March 31, 2021)
  • We issued a Notice on Ransomware that outlines what investment dealer firms and employees should do to prevent, detect, respond to and recover from a ransomware attack. The Notice also provides some information about the RCMP’s National Cyber Crime Coordination Unit or NC3. (March 16, 2021)
  • We have a mailbox where you can report incidents to CIRO: [email protected]
  • We're seeing increased cybersecurity and fraud attacks targeting clients of our firms. We issued a Notice “Cybersecurity and Fraud – Protecting Clients” that outlines the types of attacks to look out for and discusses what firms and advisors can do to prevent or limit the loss to clients. The Notice also summarizes when and how to report such incidents to IIROC (now CIRO). (November 9, 2020)
  • We have released two webinars: one on Cybersecurity Governance, and another on the Cybersecurity Threat Landscape. Check them out in our Webinars link. (October 29, 2020)
  • Cloud services and application interfaces are being increasingly targeted and their vulnerabilities exploited by cyber attackers. We issued a Notice to recommend some controls that firms can consider to manage these risks. (June 24, 2020)
  • We published a Notice that outlines some tips for advisors and employees on how to prevent and respond to a cyber attack even when working from home. (April 21, 2020)
  • A Notice has been issued to provide information to Investment Dealer Members on cybersecurity threats arising from the COVID-19 pandemic, and includes some tips to help firms and its employees protect clients’ information and itself. (March 30, 2020)
  • A new Cyber Governance Guide has been published. Check it out in our ‘Guides and Resources’ section. (March 3, 2020)

Cybersecurity Information:

Incident Reporting summary

CIRO implemented rules to require mandatory reporting of a cybersecurity incident by Dealers to CIRO.

Self-assessment surveys

IIROC (now CIRO) conducted cybersecurity self-assessment surveys for all Dealers in 2016, and again in 2018. Each Dealer was issued a confidential Cybersecurity Report (CSR) which identified their level of cybersecurity maturity and set out high-level recommendations for priority attention.

Site visits

In 2017 and 2019, IIROC (now CIRO) engaged cybersecurity consultants and visited selected Dealers with cybersecurity self-assessment maturity levels below the expected target of their industry peer group.

Table-top exercises

CIRO hosts table-top exercises to help small and medium-sized firms with cybersecurity preparedness and risk management practices.

Guides and resources

CIRO has published guides and resources to help Dealers protect themselves and their clients against cyber threats and attacks.

Helpful Links

Here are some links to information and resources provided by the Government of Canada on cybersecurity.

Contact: