Skip to main content

Canadian investment companies will be required to report cybersecurity attacks within days of an occurrence, allowing the industry regulator to alert other brokerages of risks.

The Investment Industry Regulatory Organization of Canada (IIROC), which regulates securities dealers, published new rules on Thursday. They require companies to provide, within three days of an attack, a preliminary description of the incident and the steps taken to respond. Within 30 days, companies must provide a detailed investigation report, outlining the cause and scope of the issue and the steps taken to reduce the risk of harm to investors and to the company.

IIROC said companies are already obliged under privacy legislation to notify clients when a breach occurs involving their data. The regulator’s new rules, which take effect immediately, address reporting requirements with IIROC.

In a notice, IIROC says the new reporting requirements will allow the organization to “better support” companies experiencing an incident and to alert their counterparts to known issues and potential risks.

“Mandatory reporting of cybersecurity incidents will allow IIROC to analyze the information received for any trends, insights or intelligence,” Irene Winel, IIROC’s senior vice-president of member regulation and strategy, said in a statement on Thursday.

“This reporting will help us to improve the industry’s cybersecurity preparedness and protect the integrity of Canada’s capital markets, thereby contributing to investors’ confidence in the industry.”

IIROC’s announcement comes a day after the Bank of Canada’s chief operating officer, Filipe Dinis, said Canada should consider strengthening regulations to protect the country’s financial system against potential cyberattacks.

“The Bank takes its role in safeguarding the financial system against cyberattacks very seriously," Mr. Dinis said at an information technology event in Toronto. "However, we can’t tackle these challenges in isolation. We need to collaborate within the financial sector and ultimately throughout the economy to address these very real threats.”

According to IIROC, a cybersecurity incident includes “any act to gain unauthorized access to, disrupt or misuse a company’s information system or any information stored on that system that will result in substantial harm to any person, have an impact on operations of the company, or invoke a company’s disaster-recovery plan.”

There were almost 5,000 successful cyberattacks in the global financial sector from 2014 to 2018, according to figures provided by data specialist company Advisen Ltd. These attacks affected more than 550 million records, with known direct losses of more than $4-billion.

Ms. Winel told The Globe and Mail that she agrees with the Bank of Canada’s comments and that IIROC “fully supports regulatory collaboration and information sharing in this area."

“Today’s rule changes … will ensure that current, relevant information about cybersecurity incidents is made available not only to IIROC, but also available to be shared appropriately with regulatory partners in a way that supports system resiliency,” Ms. Winel said. “Regulators need to send a strong message that cybersecurity is a key business risk for any financial-services organization.”

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe