Request for Comment – Proposed Amendments Respecting Mandatory Reporting of Cybersecurity Incidents – Investment Industry Regulatory Organization of Canada (IIROC)

Market Regulation Document Type
IIROC rule review

IIROC is publishing for public comment proposed amendments to the Dealer Member Rules (DMRs) and corresponding amendments for the proposed IIROC Dealer Member Plain Language Rule Book (the proposed PLR Rule Book) to require mandatory reporting of a cybersecurity incident by Dealer Member to IIROC (the Proposed Amendments).

The Proposed Amendments:

  • define the term "cybersecurity incident"
  • require Dealers submit a report shortly after discovery of the incident
  • require Dealers submit a more comprehensive report 30 days, unless otherwise agreed to by IIROC, after the incident
  • list the information Dealers must report.

If approved, IIROC plans to implement the Proposed Amendments as follows:

  • The changes to current DMR 3100 will be implemented as soon as the Recognizing Regulators approve them.
  • The changes to section 3705 of the proposed PLR Rule Book will be implemented when the proposed PLR Rule Book becomes effective and will replace the corresponding DMR 3100. IIROC will incorporate the Proposed Amendments into the proposed PLR Rule Book when they publish the Notice of Approval.

A copy of the IIROC Notice and appendices, which includes the Proposed Amendments, is also published on our website at The comment period ends on May 22, 2018.