Andrew Elbaz, Josh Hersh
IIROC mandatory cybersecurity breach reporting
By Andrew Elbaz, Josh Hersh
In response to the significant increase in sophisticated cybersecurity breaches, the Investment Industry Regulatory Organization of Canada (“IIROC”) has imposed mandatory reporting requirements on investment firms that suffer a cybersecurity incident or breach.
First proposed on April 5, 2018, the new rules require investment firms regulated by IIROC to submit two separate reports:
- Within three days of the cybersecurity incident, firms must submit a preliminary report describing the incident.
- Firms are given 30 days to provide a more in-depth report that details the cause and magnitude of the issue and subsequent steps that the firm is taking to protect against similar breaches.
IIROC has stated it will adopt a broad definition of a “cybersecurity incident”. In its original proposal, IIROC suggested that it would include “any act to gain unauthorized access to, disrupt, or misuse a Dealer Member’s information system” that has either resulted in or is reasonably likely to have a negative impact. We will see if they maintain that definition going forward.
While the new rule might result in increased costs associated with compliance, it is expected that investment firms will benefit from the prompt and detailed reporting. As stated by IIROC when they originally proposed the amendment in April 2018, it would increase IIROC’s ability to “move quickly to assist the affected Dealer(s) and, when necessary, inform other Dealers of current cyber threats, thereby helping to manage the impact on Dealers as well as investors.”
Many individuals in the industry have concerns about how IIROC intends to protect private information that may be required for the incident reports. Firms may also be hesitant to disclose information that can potentially be seen as comprising its competitive advantage.
Another potential issue is the determination the start of the reporting deadlines – three or 30 days. According to the proposed rule, the time periods start from the “discovery” of the cybersecurity incident. But there is ambiguity surrounding the determination of when exactly an incident is considered “discovered”.
Following the adoption of these new rules, it will be interesting to see the effect of IIROC’s efforts to strengthen the cybersecurity of the capital markets. For more details on the above, please contact the Securities and Capital Markets Group at Minden Gross LLP at www.mindengross.com.