Compliance with IIROC’s Cybersecurity Incident Reporting Requirements

Overview

This Guidance outlines IIROC’s requirements related to IIROC Rule subsection 3703(1) and clause 3703(2)(vii) (Cybersecurity Incident Reporting Requirements) and also provides guidance to Dealer Members (Dealers) on how to demonstrate compliance with IIROC requirements. This Guidance replaces GN-3700-21-005.

Through the Cybersecurity Incident Reporting Requirements, IIROC has been able to:

• provide support to affected Dealers to ensure that appropriate action was taken to assess, respond to, and recover from the incident;
• alert other Dealers to potential vulnerabilities or imminent threats;1
• issue educational notices to guide Dealers on how to manage rising or often experienced incidents;2 and
• evaluate and develop further initiatives aimed at raising awareness of cybersecurity issues and strengthening the cybersecurity resilience of Dealers and the industry as a whole.

1. IIROC requirements

In addition to the Cybersecurity Incident Reporting Requirements, other relevant IIROC requirements are:3

• IIROC Rule 1404 requires Dealers to maintain written policies and procedures regarding the conduct of its business activities and operations.
• IIROC Rules 1405 and 3804 require Dealers to keep all records and evidence that demonstrate their compliance with IIROC requirements (including records and evidence that demonstrate compliance with the minimum books and records requirements).
• IIROC Rule 1406 requires Dealer compliance with all IIROC requirements, securities laws and other laws applicable to the Dealer’s activities.
• IIROC Rule 4200, Part B requires Dealers to
  • design and implement sufficient and appropriate controls to ensure compliance with all IIROC requirements, and
  • maintain specific documented policies and procedures for such controls as part of the combined policies and procedures for each relevant Dealer activity.
• IIROC Rule 4700, Part A requires Dealers to establish and maintain a business continuity plan that is customized to their business and identifies procedures to deal with a significant business disruption.

2. Cybersecurity incident reporting requirements

Pursuant to Cybersecurity Incident Reporting Requirements, Dealers must:

• report to IIROC within 3 days of discovery (the initial report) cybersecurity incidents that represent any act to gain unauthorized access to, disrupt or misuse a Dealer’s information system, or information stored on such system that resulted in, or there is a reasonable likelihood that it would result in:
  • substantial harm to any person and/or material disruption to operations,
  • invoking the firm’s business continuity or disaster recovery plan, or
  • reporting obligations under any applicable laws to a government body or regulatory authority or organization,
• report to IIROC details of its investigation of the cybersecurity incident, within 30 days of its discovery (the incident investigation report).

The requirements also outline specific information that must be provided when reporting to IIROC.

2.1 Determining what is a cybersecurity incident

Dealers should develop criteria to determine what would constitute a cybersecurity incident at their firm that would trigger reporting to IIROC, including:

• what would be considered “substantial harm” to any person, and
• what represents “material impact on normal operations”.

The definition of cybersecurity incident is broad, in order to accommodate the evolving nature of cybersecurity risk, and includes, among others, breaches that:

• involve personal information and may be reportable under the reporting obligations of any privacy legislation including the Privacy Information Protection and Electronic Documents Act (PIPEDA),
• affect a Dealer’s ability to meet its obligations to its clients and counterparties, and
• affect either individuals or non-individuals.

Dealers should use their judgment when assessing the reasonable likelihood that an incident can (i) result in substantial harm to a person, 4 or (ii) have a “material impact” on its normal operations, taking into consideration its size, business model and the nature of the cybersecurity incident.

For instance, an incident could be considered to be “material” if the Dealer would, in the normal course of operations, escalate it to senior management. Also, Dealers should not look at incidents in isolation. A non-material incident by itself may still be considered material or likely to cause substantial harm if it recurs or has a wider impact5.

When evaluating what constitutes Dealer “information system” or “information stored on such systems”, Dealers need to also consider elements that are supplied by outsourced or third-party service providers.

2.2 Providing the initial report

The initial report is a brief snapshot of relevant information about a cybersecurity incident provided by a Dealer immediately following discovery of the cybersecurity incident and is meant to reflect only a preliminary assessment of the cybersecurity incident.

The Cybersecurity Incident Reporting Requirements prescribe what needs to be provided in the initial report, but the Dealer should share all pertinent information about the cybersecurity incident with IIROC. We recognize that Dealers may not have a complete analysis within three calendar days following discovery of the cybersecurity incident and we expect Dealers to submit the best information available to them at the time of reporting6.

If a Dealer has identified a possible cybersecurity incident but is not sure if the incident meets the definition to trigger reporting, we recommend that the Dealer contact its Financial & Operations Compliance (FinOps) relationship manager for guidance. Similarly, if a Dealer has reported the cybersecurity incident to IIROC within three days, but later determines that no cybersecurity incident, as defined in the IIROC Rules, occurred, then the Dealer must notify IIROC of this change in assessment. If IIROC is satisfied with the explanation provided by the Dealer that no cybersecurity incident occurred, then the Dealer does not need to provide an incident investigation report to IIROC7.

2.3 Providing the incident investigation report

The incident investigation report is a more detailed report that a Dealer produces after a thorough investigation8 of the cybersecurity incident. The Cybersecurity Incident Reporting Requirements prescribe what needs to be provided to IIROC in the incident investigation report. The incident investigation report should include:

• all relevant and pertinent information that would help a Dealer determine the nature, extent, scope9, impact and root cause of the cybersecurity incident; and
• actions taken to mitigate the risk and remediate any harm from the specific cybersecurity incident and improve overall cybersecurity incident preparedness.

If a Dealer obtains material new information related to the cybersecurity incident after providing the incident investigation report, it must provide IIROC with the details.

If a Dealer needs more time to provide the incident investigation report, it should notify its FinOps relationship manager and let them know:

• why the Dealer needs more time,
• when the Dealer expects the incident investigation report to be completed, and
• when the Dealer will submit the incident investigation report.

If IIROC agrees to grant an extension, the Dealer should keep IIROC up to date regarding the status of its investigation and the actions taken.

3. Demonstrating compliance with the Cybersecurity Incident Reporting Requirements

Dealers must be able to demonstrate to IIROC that they are complying with all applicable rules and requirements.

Dealers can demonstrate compliance with the Cybersecurity Incident Reporting Requirements by providing evidence as follows:

• Detailed policies and procedures around cybersecurity incident reporting10 that:
  • align with IIROC requirements;
  • incorporate procedures to detect, assess, report (both internally and externally), mitigate the risk and remediate any harm resulting from cybersecurity incidents occurring at or impacting the Dealer;
  • provide detailed criteria around the definitions of “substantial harm” and “material impact" such that a reasonable person would be able to assess whether a particular cybersecurity incident meets the threshold requirements to be reported to IIROC - where functions are centralized at larger or global entities, the policies and procedures should address the specific regulatory requirements related to the Dealer and provide for separate assessments of materiality, substantiality, significance and other thresholds for the Dealer taking into consideration its standalone business and size;
  • specify the individuals and departments responsible for the policies and procedures and the various functions and tasks identified therein, including the individuals responsible for reporting the incident to IIROC; and
  • are frequently reviewed to assess whether the policies need to be updated or any criteria needs to be reassessed.
• An up-to-date log or report identifying all discovered cybersecurity incidents that occurred at and/or impacted the Dealer which includes, among other things, reasons supporting a decision to report or not report the incident, as the case may be, to IIROC
• Evidence of communication, as noted in the policies and procedures, where senior management discusses cybersecurity incidents occurring at and/or impacting the Dealer and whether they meet the thresholds to be reported to IIROC.
• Evidence that all necessary corrective action was taken, as noted in the policies and procedures, to mitigate and remediate cybersecurity incidents and increase incident preparedness.

4. Non-compliance with the Cybersecurity Incident Reporting Requirements

IIROC’s FinOps group will review the Dealer’s evidence of controls to ensure compliance with the Cybersecurity Incident Reporting Requirements and all applicable IIROC requirements during regularly scheduled field examinations. If the Dealer is unable to demonstrate that they have designed and implemented sufficient and appropriate controls to ensure compliance with the IIROC rules or the controls, as designed and implemented, are not working effectively, then such an examination finding could lead to action by IIROC including but not limited to one or more of the following: more frequent IIROC examinations, administrative fees or penalties, and the imposition of terms and conditions.

5. Other resources

For other information and resources on managing cybersecurity threats, including guides and webinars, please refer to IIROC’s cybersecurity site.

6. Applicable Rules

This Guidance Note discusses the following IIROC Rules: 

• Sections 1404 through 1406
• Subsection 3703(1) and clause 3703(2)(vii)
• Section 3804
• Rule 4200, Part B
• Rule 4700, Part A

7. Previous Guidance Note

This Guidance replaces GN-3700-21-005 Frequently Asked Questions – Mandatory Cybersecurity Incident Reporting.

8. Related Documents

This Guidance Note was published under Notice 22-0024.

• 1IIROC does not disclose the names of the Dealers who have reported cybersecurity incidents to other Dealers or the public. We anonymize any information about reported cybersecurity incidents that we share with the public or other Dealers.
• 2See Education Notice 20-0061 – COVID-19 and Cybersecurity; Education Notice 20-0083 – COVID-19 and Cybersecurity – Tips for Advisors and Employees; Education Notice 20-0100 – COVID-19 Cybersecurity – Remote Access Services; Education Notice 20-0133 – Cybersecurity – Cloud Services and Application Programming Interfaces; Education Notice 20-0235 – Cybersecurity and Fraud – Protecting Clients; Education Notice 21-0050 – Cybersecurity Ransomware.
• 3This is not intended to be an exclusive list of related applicable IIROC requirements.
• 4Substantial harm to any person may include harm to a non-individual client and may relate to more than just the misuse of personal information.
• 5For example, an incident that slows down a Dealer’s website or internal system when taken in isolation may not have a material impact on Dealer’s operations, however it may become material and therefore reportable if it keeps recurring or affects a number of different operations, services or persons.
• 6Dealers should contact their FinOps relationship manager to provide the report. When IIROC receives the initial report, we arrange a meeting, generally on the same day, to discuss the preliminary details of the cybersecurity incident and next steps. The meeting includes the following individuals:
  • Senior management in FinOps,
  • Senior management in the IIROC Information Technology and Information Security department, and
  • the Chief Executive Officer, Chief Financial Officer, Chief Information Officer/ Chief Information Security Officer and Chief Compliance Officer of a Dealer.
• 7In order to support the Dealer’s assessment that a cybersecurity incident did not occur, we recommend that Dealers confirm with external legal counsel and cybersecurity professionals that:• the incident did not result in a breach of personal information or other substantial harm to a person,• a Dealer’s information systems or information stored on such a system were not materially impacted, and• any action taken is sufficient and complies with all applicable laws, including privacy laws.
• 8While a Dealer can use its own internal IT staff or managed services provider to investigate the root cause of the cybersecurity incident, we recommend using external forensics auditors if a Dealer:• lacks the specialized knowledge, tools and resources needed to fully investigate the cybersecurity incident, and• seeks to manage potential conflicts of interest.
• 9Some examples of scope and impact information to include would be what information on the Dealer’s information system was affected and if it included client data, number of devices affected, number of business days that a Dealer’s operations were impacted, estimated costs to address the cybersecurity incident including whether the Dealer has cybersecurity insurance and the amount of the deductible, etc.
• 10Dealers should have a cybersecurity incident response and management plan that includes its reporting obligations.