• Deborah

On February 10, the Investment Industry Regulatory Organization of Canada (IIROC) published GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements. The Guidance Note points out IIROC’s expectations for incident reporting as well as explains how Dealers Members should demonstrate compliance with the latter.


With regard to the incident reporting requirements, Dealers Members must, among other things:

  • Provide IIROC with an initial report within 3 days of the discovery of the incident.

  • Provide a detailed incident investigation report within 30 days of the discovery.

Dealers are expected to develop criteria to determine what constitutes a cybersecurity incident.


Dealers demonstrate compliance with these requirements by

  • Implementing the appropriate policies and procedures

  • Maintaining an up-to-date log or report that captured all incidents that have been discovered

  • Providing evidence of communication demonstrating that the incident was discussed internally by senior management

  • Providing evidence of corrective action.

Dealers Members who fail to meet these requirements may be subject to more frequent examinations, administrative fees or penalties, and the imposition of terms and conditions.


GN-3700-22-001 replaces GN-3700-21-005.



Recent Posts

See All

22/09/2022 - Coming into force of certain requirements regarding the Québec’s Act respecting the protection of personal information in the private sector, introduced by Bill 64, including but limited