IIROC requires mandatory reporting of cybersecurity incidents at firms

The Canadian Press

A person uses a laptop computer with illuminated English and Russian Cyrillic character keys in this arranged photograph in Moscow, Russia, on Thursday, March 14, 2019

A person uses a laptop computer with illuminated English and Russian Cyrillic character keys in this arranged photograph in Moscow, Russia, March 14, 2019. , Bloomberg News

TORONTO — The Investment Industry Regulatory Organization of Canada is now requiring the mandatory reporting of any cybersecurity incidents at occur at the investment firms it regulates.

Under the new rules, firms have to report to the industry regulator any cybersecurity incidents in two stages.

In the first stage, firms have three days to provide a preliminary description of the incident and steps taken.

The second stage allows firms 30 days to provide a detailed investigation report, outlining the cause and scope of the issue, and steps taken to mitigate the risk of harm to investors and to the firm.

IROC says the mandatory reporting will allow it to analyze the information received for any trends, insights or intelligence and help improve the industry's cybersecurity preparedness.

IIROC is the self-regulatory organization that oversees investment dealers and their trading activity in Canada's debt and equity markets.