Incident Reporting Summary

Information sharing is an essential tool for mitigating cyber threats, particularly in a rapidly evolving threat landscape. In April 2018, IIROC (now CIRO) proposed rules to require mandatory reporting of a cybersecurity incident by Investment Dealer Members (Dealers) to IIROC (now CIRO). We expect Dealers will benefit from the prompt reporting of cybersecurity incidents. When CIRO receives notice of an incident it can move quickly to assist the affected Dealer(s) and, when necessary, inform other Dealers of current cyber threats, thereby helping to manage the impact on Dealers as well as investors.

We recently implemented IDPC Rule 3703 requiring the mandatory reporting of cybersecurity incidents by Dealers to CIRO. We also issued guidance in the form of frequently-asked questions to assist Dealers.