top of page
  • Writer's pictureDeborah

On February 10, the Investment Industry Regulatory Organization of Canada (IIROC) published GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements. The Guidance Note points out IIROC’s expectations for incident reporting as well as explains how Dealers Members should demonstrate compliance with the latter.


With regard to the incident reporting requirements, Dealers Members must, among other things:

  • Provide IIROC with an initial report within 3 days of the discovery of the incident.

  • Provide a detailed incident investigation report within 30 days of the discovery.

Dealers are expected to develop criteria to determine what constitutes a cybersecurity incident.


Dealers demonstrate compliance with these requirements by

  • Implementing the appropriate policies and procedures

  • Maintaining an up-to-date log or report that captured all incidents that have been discovered

  • Providing evidence of communication demonstrating that the incident was discussed internally by senior management

  • Providing evidence of corrective action.

Dealers Members who fail to meet these requirements may be subject to more frequent examinations, administrative fees or penalties, and the imposition of terms and conditions.


GN-3700-22-001 replaces GN-3700-21-005.



Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page