top of page
  • Writer's pictureDeborah

On February 10, the Investment Industry Regulatory Organization of Canada (IIROC) published GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements. The Guidance Note points out IIROC’s expectations for incident reporting as well as explains how Dealers Members should demonstrate compliance with the latter.

With regard to the incident reporting requirements, Dealers Members must, among other things:

  • Provide IIROC with an initial report within 3 days of the discovery of the incident.

  • Provide a detailed incident investigation report within 30 days of the discovery.

Dealers are expected to develop criteria to determine what constitutes a cybersecurity incident.

Dealers demonstrate compliance with these requirements by

  • Implementing the appropriate policies and procedures

  • Maintaining an up-to-date log or report that captured all incidents that have been discovered

  • Providing evidence of communication demonstrating that the incident was discussed internally by senior management

  • Providing evidence of corrective action.

Dealers Members who fail to meet these requirements may be subject to more frequent examinations, administrative fees or penalties, and the imposition of terms and conditions.

GN-3700-22-001 replaces GN-3700-21-005.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page