IIROC Imposes Mandatory Reporting of Cybersecurity Incidents for Regulated Investment Firms

Éloïse Gratton November 18, 2019

On November 14, 2019, the Investment Industry Regulatory Organization of Canada (IIROC) – the national self-regulatory organization that oversees investment dealers and their trading activity in Canadian markets – published a notice of amendments to its Rule 3100 and Rule 3703 to require mandatory reporting of cybersecurity incidents by IIROC-regulated investment firms. The amended rules, which came into effect immediately on publication of the notice, require firms to provide IIROC with an initial report within three days after of discovering a reportable cybersecurity incident and a comprehensive investigation report within 30 days after of discovering the incident.

Read our bulletin on this topic.

This content has been updated on November 18, 2019 at 16 h 35 min.

Éloïse Gratton

Privacy & Data Protection Law

IIROC Imposes Mandatory Reporting of Cybersecurity Incidents for Regulated Investment Firms

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet