• Deborah

On February 10, the Investment Industry Regulatory Organization of Canada (IIROC) published GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements. The Guidance Note points out IIROC’s expectations for incident reporting as well as explains how Dealers Members should demonstrate compliance with the latter.


With regard to the incident reporting requirements, Dealers Members must, among other things:

  • Provide IIROC with an initial report within 3 days of the discovery of the incident.

  • Provide a detailed incident investigation report within 30 days of the discovery.

Dealers are expected to develop criteria to determine what constitutes a cybersecurity incident.


Dealers demonstrate compliance with these requirements by

  • Implementing the appropriate policies and procedures

  • Maintaining an up-to-date log or report that captured all incidents that have been discovered

  • Providing evidence of communication demonstrating that the incident was discussed internally by senior management

  • Providing evidence of corrective action.

Dealers Members who fail to meet these requirements may be subject to more frequent examinations, administrative fees or penalties, and the imposition of terms and conditions.


GN-3700-22-001 replaces GN-3700-21-005.



Recent Posts

See All

01/06/2022 - Effective date of Amendments to National Instrument 81-105 Mutual Fund Sales Practices and Related Consequential Amendments relating to prohibition of deferred sales charges for investmen

According to the CFA Institute, the most common definition of a derivative is that it is “a financial instrument that derives its performance from the performance of an underlying asset.’’ There are t