Canadian Securities Administrators approve new rules for reporting of cybersecurity incidents
Dealer members of IIROC are now required to report any cybersecurity incidents within three days of discovery of the issues.
The Canadian Securities Administrators (CSA) have approved amendments to the Dealer Member Rules (DMRs) and corresponding amendments for the rules of the Investment Industry Regulatory Organization of Canada (IIROC) regarding reporting of cybersecurity issues.
The Amendments:
- require Dealers to report to IIROC any cybersecurity incidents within three days of discovery of the cybersecurity incident,
- require Dealers to provide IIROC with an incident investigation report within 30 days of discovery of the cybersecurity incident, and
- list the information Dealers must report.
The Amendments are effective immediately.
Since IIROC first published its Cybersecurity Incident Best Practices Guide in December 2015, cyber risks have continued to evolve, the body warns. These risk present a more urgent threat of harm to investors, market participants and Dealers. On top of that, as IIROC seeks more ways to support industry transformation, it recognizes Dealers are increasing their collection of data and reliance on complex information systems. This development highlights the importance of timely information sharing to mitigate cyber risk.
Before these changes to reporting requirements, IIROC members followed the Cybersecurity Best Practices Guide. The document, however, sets forth merely a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help IIROC Dealer Members manage cybersecurity risks. The voluntary guidance offers Dealer Members the ability to customize and quantify adjustments to their cybersecurity programs using cost-effective security controls and risk management techniques.
Back in March this year, IIROC warned that cyber attacks were increasing in number and sophistication. In particular, there is a general increase in ransomware attacks, likely due to the ‘commoditization’ of tools making it easier for less sophisticated attackers to use them. The active management of cyber risk is critical to the stability of Dealers, the integrity of capital markets and the protection of investors, IIROC noted.