IIROC Mandatory
Cyber Breach Reporting

On November 14, 2019, the Investment Industry Regulatory Organization Of Canada (IIROC) announced amendments to their Dealer Member Rules that require that all investment dealers that are subject to their regulations are now obligated to report all cybersecurity incidents to IIROC within three (3) days of its discovery, as well as provide IIROC with an incident investigation report within thirty (30) days of discovery.

This announcement could be seen as the conclusion to a process that began nearly two (2) years ago in March of 2018, when IIROC issued notice 18-0063, which spoke of the growing risk to investment professionals of cybersecurity attacks and suggested best practice cybersecurity measures for members to follow via their Cybersecurity Best Practices Guide and Cyber Incident Management Planning Guide.

From the document notice 18-0063:

Reporting of cybersecurity incidents Cyberattacks have been increasing in number and sophistication. In particular, there is a general increase in ransomware attacks, likely due to the ‘commoditization’ of tools making it easier for less sophisticated attackers to use them. The active management of cyber risk is critical to the stability of IIROC Dealer Members (Dealers), the integrity of capital markets and the protection of investors. Over the past few years, we have committed to helping Dealers strengthen their risk-management practices and increase their cybersecurity preparedness. To further strengthen and support Dealers in the management of cyber risks, we will soon be publishing for comment proposed amendments to our Dealer Member Rules, requiring mandatory reporting of certain cybersecurity incidents. In the interim, we ask all Dealers to promptly report to us the occurrence of any cybersecurity incident.

According to IIROC’s Dealer Member Rules a cybersecurity incident is defined as “any act to gain unauthorized access to, disrupt or misuse a Dealer Member’s information system, or information stored on such information system, that has resulted in, or has a reasonable likelihood of resulting in:

  1. substantial harm to any person
  2. a material impact on any part of the normal operations of the Dealer Member,
  3. invoking the Dealer Member’s business continuity plan or disaster recovery plan, or
  4. the Dealer Member being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.”

With cyberattacks and data breaches becoming an everyday occurrence and affecting more businesses and consumers, the timing for this is probably fortuitous. In the summer of 2019 for example, Capitol One was the victim of a cyberattack that compromised the financial and personal information of more than 100 million people. With purveyors of ransomware and malware becoming ever more sophisticated, and with more and more information being linked and shared across partner networks, it is no longer impossible to imagine a scenario which starts with one financial institution incurring a breach and then the attack spreads outwards to include its external partners as well as their partner’s partners.

The IIROC’s own research data suggests that its members have been getting the message prior to this announcement and have been busily revamping their own individual security practices. A survey they conducted in late 2018 had 82% of the firms surveyed saying that they had been conducting cybersecurity training once a year, compared to only 56% of those surveyed in 2016. 72% had an Incidence Response Plan, up from 53% in 2016. 94% reported that they now assessed 3rd parties for cyber risks before entering into a contract, compared to 70% in 2016. And more than 1/2 had purchased some sort of cyber insurance policy compared to 37% in 2016.

These new requirements are mandatory and will take effect immediately.

About Datatel and Secured Net Solutions

Organizations are in a continuous struggle to ensure that all necessary safeguards are in place to protect their valuable information from external and internal security threats alike. At Datatel, it is our goal to ensure that our clients are prepared to successfully navigate the ever-changing Cybersecurity and payment security landscape. In partnership with Secured Net Solutions we provide our customers with tailor made services and solutions that ensure that they will always be prepared for and able to respond to information security threats.

Our team’s depth of expertise and breadth of capability in advanced technology is founded upon real-world experience, combined with solid technical training and continuous skill development. Our philosophy and core business align directly with the critical components required to assist our clients in establishing a more secure infrastructure and overall security posture.

For information on how we can help you addressing your Cybersecurity and Payment Security needs contact us at: 800-831-6660 x 257 or Click Here

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance