CIRO cybersecurity incident — For Registrants

The Canadian Investment Regulatory Organization (CIRO) is the national self-regulatory organization that oversees all investment dealers, mutual fund dealers and trading activity on Canada’s debt and equity marketplaces. CIRO was formed as a result of an amalgamation of the Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association of Canada (MFDA). You received notice of the cybersecurity incident because you were registered at some point in time with IIROC, MFDA or CIRO.

CIRO had a copy of registration data retrieved from the National Registration Database because it manages registration functions for most of the provincial securities administrators. The collection of this information is mandated by the Canadian Securities Administrators under Form 33-109F4 and was submitted to NRD by your current or former dealers. CIRO did not get your registration information from a financial institution or private party.

CIRO’s registration data related to all mutual fund dealer and investment dealer firms and individuals, including Quebec-only mutual fund dealer firms (deemed members) and individuals, was impacted such as:

• Legal and other personal names, residential address, email address, telephone number
• Date of birth, place of birth, gender, eye/hair colour, height, weight
• Bank account numbers, if included as part of the financial solvency disclosure
• Investment and beneficiary information, if included as part of the ownership in securities and derivatives disclosure
• Civil and criminal disclosure, if applicable
• Investigation notes, if there was an investigation
• Outside activity information, if applicable
• Passport information, if provided.
• Student numbers and non-securities license numbers, if applicable.

The information exposed did not include:

• Social Insurance Numbers
• Credit card or other payment information.

The collection of this information is mandated by the Canadian Securities Administrators under Form 33-109F4 and was submitted to NRD by your current or former dealers. CIRO intends to conduct a renewed review of its data retention policies going forward.

You may view the information CIRO holds about you by accessing your National Registration Database (NRD) account. This is the information that has been compromised by the incident.

We began sending letters to all affected individuals beginning September 9 to advise them that their personal data was impacted, and provide guidance on next steps including how to sign up for free credit monitoring and identity protection services.

We will contact affected individuals through the information they provided in the National Registration Database (NRD). If an email address was provided, you will get an email from either ciro@cyberscout.com OR ciro@m.cyberscout.com. Otherwise, you will be sent a letter in the mail. Emails will be distributed in a few days, and mailed letters may take approximately 3–7 business days to arrive.

We are providing free credit monitoring and identity theft protection to all impacted individuals for a period of 2 years with TransUnion and Equifax. A dedicated phone line is also available to address any questions or concerns.

To date, there is no evidence of CIRO-held data posted on the dark Web. The dark web monitoring feature allows you to be notified when your personal information is found on the dark web, as a result of any breach. We are continuing to monitor the dark web for any suggestion that data from CIRO systems specifically has been published.

As a precautionary measure and to help detect possible misuse of your information, CIRO is providing two years of credit monitoring and identity protection services. Importantly, coverage is being provided through two Canadian credit bureaus – Equifax and TransUnion – not just one. The package also includes dark web monitoring, which will alert you if your information is ever detected online at any point in the future, whether from this incident or elsewhere.

We understand these concerns. However, based on our review, there is no current evidence that client information is connected to the compromised advisor information in a way that would increase the risk of impersonation or targeted scams.

As a general best practice, we encourage advisors and clients to remain vigilant and follow standard precautions, such as independently verifying any unexpected requests for information or money, and reporting suspicious communications to their firm or to the appropriate authorities. CIRO has several articles and tip sheets that can be used as resources for you and your clients.

CIRO collects registration information in order to deliver effective regulation of individuals in the investment industry. CIRO intends to conduct a renewed review of its data retention policies going forward.

No. The NRD system was not breached. The impacted data relates to registration information held at CIRO.

We began sending letters to all affected individuals beginning September 9. Emails should be received in a few days, and mailed letters may take approximately 3–7 business days to arrive.

The incident affected a significant number of registrants of CIRO members, both current and former, but not all.

Each affected individual will receive one letter that will be signed by CIRO and sent by TransUnion on our behalf.

If you have an email address on file in NRD, you will receive an email from either ciro@cyberscout.com OR ciro@m.cyberscout.com. Those without an email address on file will receive a letter mailed to your residential address.

We are tracking email bounce-backs and mailed letters marked “return to sender”, and will follow up to determine alternate methods of communication where necessary.

Please note that the notification letters include only the recipient’s name and no additional personal information. Furthermore, only the individual identified in the letter will be able to use the access code. To create an account with the credit bureaus, you must answer security questions related to your personal banking and credit history, information that only you would know, in order to proceed.

If you haven’t received a letter, please complete the Cyber Incident form. Note that due to privacy considerations, if you are unable to verify your identity, we may not be able to help you.

We sincerely apologize for this incident and any concern it may have caused you. What we’re offering in terms of risk mitigation is considered best practice. The steps that will be set out in the notice letter are as follows:

• register for credit monitoring services and identity theft protection from TransUnion and Equifax (which will be in place for two years).
• separately notify the credit bureaus (Equifax and TransUnion) to place alerts on your credit file to be notified if new applications are made. Quebec residents may also ask the credit bureaus to freeze their credit file to prevent new applications. This also isn’t time-limited and will provide ongoing protection for any attempted credit applications.
• Monitor accounts for unusual transactions or changes and notify your financial institution immediately if you notice anything suspicious.
• remain vigilant against phishing attempts by phone, text, and email at work and on personal devices, including verifying any contact who reaches out to ask for personal information. For example, if you receive a call from your bank asking for information, hang up and call the number on the back of your bank card to verify.

Individuals will be able to benefit from the services if they have a Canadian credit bureau file. This would be the case even if they’re currently out of the country. If they do not have a Canadian credit bureau file, they won’t be able to use the services. The authentication questions they will be asked during enrolment are based on what’s in their Canadian credit file (e.g. confirming what Canadian bank they have a loan with, if any.) If you are unable to access any services, please contact MembershipServices@ciro.ca.

We have provided both services for individuals. Please open accounts with both credit bureaus.

A TransUnion representative should be able to assist with deactivating your previous monitoring service. You may reach out to the dedicated support line in your notification letter and specify this with the agent. The agent can then assist you by canceling your current monitoring service to allow you to sign up for the most recent one.

If you are not able to complete your authentication questions with the anticipated responses, the system will generate an error message and prompt you to contact an agent. The agent will be able to complete the authentication process with you, allowing you to register for services.

All impacted individuals should follow the risk-mitigation steps outlined in the letter. If you provided your passport number in NRD, it does not need to be replaced. However, if you become aware that your passport number is being misused, you should report it to the government immediately. The identity theft insurance services provided can assist you with this process.

There have been media reports that TransUnion itself was breached recently. This relates to a TransUnion USA vendor breach. The Canadian TransUnion credit bureau was not breached. You are not putting your data at risk by registering for the credit monitoring services that will be offered.

The letter you received includes a dedicated call centre number. Please note that CIRO staff may not be in a position to provide additional information; as far as possible, please direct your inquiries to the call centre.