Alert:
A nationwide postal strike or lockout may occur as early as November 3, 2004. Dealer Members must take steps to ensure that document delivery requirements prescribed under CIRO Rules continue to be met.
The Canadian Securities Administrators (CSA) have approved amendments to the Dealer Member Rules (DMRs) and corresponding amendments for the IIROC Dealer Member Plain Language Rule Book (the IIROC Rules) to require mandatory reporting of a cybersecurity incident by Dealer Members (Dealers) to IIROC (the Amendments).
The Amendments:
The Amendments are effective immediately.
On April 5, 2018, we issued Notice 18-0070 requesting comments on the Amendments to the DMRs and corresponding IIROC Rules relating to mandatory reporting of cybersecurity incidents by Dealers to IIROC.
The Amendments:
In formulating the Amendments, we sought to create a framework that would allow IIROC to:
The Amendments continue IIROC’s ongoing work in supporting our Dealers’ cybersecurity preparedness. This work has included recent tabletop exercises and a second round of cybersecurity self-assessment surveys. We also recognize the voluntary reporting made by some Dealers since publication of Notice 18-0063 on March 22, 2018.
Since IIROC first published its Cybersecurity Incident Best Practices Guide in December 2015, cyber risks have continued to evolve and present a more urgent threat of harm to investors, market participants and Dealers. Furthermore, as IIROC seeks more ways to support industry transformation, we recognize Dealers are increasing their collection of data and reliance on complex information systems. This development highlights the importance of timely information sharing to mitigate cyber risk.
In response to the publication for comment, we received eight public comment letters. We set out below a summary of the themes of the comments received and our responses. A full summary of the comment letters received and our responses is set out in Appendix 1 – Response to Public Comments.
We received public comments respecting the following themes:
We determined that in order to respond to the comments we received, we did not need to make material changes to the Amendments. Rather, we provide further clarification relating to the purpose and intent of the Amendments in our Response to Public Comments (see Appendix 1) and Frequently Asked Questions (described more fully in section 5 below).
More specifically, in our Response to Public Comments, we:
While we did not make any material changes to the Amendments, we did make the following non-material changes:
The Amendments will be effective immediately.
We are concurrently publishing a Frequently Asked Questions Guidance Note to assist Dealers in understanding their obligations under the Amendments (see Notice 19-0195). We intend to update periodically this document as necessary.
Appendix 1 – Response to Public Comments
Appendix 2 – Text of Final Amendments to DMR 3100 (Reporting and Recordkeeping Requirements) (Blackline to reflect non-material changes)
Appendix 3 - Text of Final Amendments to DMR 3100 (Reporting and Recordkeeping Requirements) (Clean)
Appendix 4 – Text of Amendments to section 3703 of the IIROC Rules (Reporting by a Dealer Member to IIROC) (Blackline to reflect non-material changes)
Appendix 5 - Text of Amendments to section 3703 of the IIROC Rules (Reporting by a Dealer Member to IIROC) (Clean)
Appendix 6 – Notice 19-0195 - Frequently Asked Questions – Mandatory Cybersecurity Incident Reporting