On February 10, the Investment Industry Regulatory Organization of Canada (IIROC) published GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements. The Guidance Note points out IIROC’s expectations for incident reporting as well as explains how Dealers Members should demonstrate compliance with the latter.
With regard to the incident reporting requirements, Dealers Members must, among other things:
Provide IIROC with an initial report within 3 days of the discovery of the incident.
Provide a detailed incident investigation report within 30 days of the discovery.
Dealers are expected to develop criteria to determine what constitutes a cybersecurity incident.
Dealers demonstrate compliance with these requirements by
Implementing the appropriate policies and procedures
Maintaining an up-to-date log or report that captured all incidents that have been discovered
Providing evidence of communication demonstrating that the incident was discussed internally by senior management
Providing evidence of corrective action.
Dealers Members who fail to meet these requirements may be subject to more frequent examinations, administrative fees or penalties, and the imposition of terms and conditions.
GN-3700-22-001 replaces GN-3700-21-005.