IIROC to require disclosure of cyber incidents

Regulator proposes changes to dealers rule book

IIROC to require disclosure of cyber incidents
Steve Randall

An increasing number of cybersecurity incidents and the rising sophistication of attacks have prompted IIROC to require greater transparency from dealers.

The regulator is proposing changes to its Dealer Member Rules and the Plain Language Rule Book which will require dealers to promptly report any cybersecurity incidents to IIROC.

Currently, dealers are asked to tell the regulator voluntarily if they suffer a cybersecurity incident, but the change would make it mandatory.

IIROC says that active management of cybersecurity is essential for the stability of dealers, the integrity of capital markets, and the protection of investors.

In a technical note issued last month, the regulator said that incidents and sophistication of cyber attacks; especially of ransomware attacks - where data or whole systems are locked down until victims pay a ransom. Even then, there is no guarantee that systems will be freed.

Current guidelines urge dealer members to report an attack but the proposed rules would require them to do so within 3 calendar days from discovering the incident. This initial report would need to be followed by a more comprehensive report within 30 days.

IIROC says that the detection and prevention of cyber incidents gains greatly from sharing information, and the proposed new rules would ensure that timely and widespread information would be available.

Although there may be increased costs of compliance, the regulator says the proposed amendments “do not impose any burden or constraint on competition or innovation that is not necessary to further IIROC’s regulatory objectives.”

Interested parties can give their views on the proposed amendments by May 22, 2018. Further details are on the IIROC website.