Incident Reporting Summary

Information sharing is an essential tool for mitigating cyber threats, particularly in a rapidly evolving threat landscape. In April 2018, IIROC proposed rules to require mandatory reporting of a cybersecurity incident by Dealer Members (Dealers) to IIROC. We expect Dealers will benefit from the prompt reporting of cybersecurity incidents. When IIROC receives notice of an incident it can move quickly to assist the affected Dealer(s) and, when necessary, inform other Dealers of current cyber threats, thereby helping to manage the impact on Dealers as well as investors.

We recently implemented IIROC Rule 3703 requiring the mandatory reporting of cybersecurity incidents by Dealers to IIROC. We also issued guidance in the form of frequently-asked questions to assist Dealers.

Welcome to!

You can find the Canadian Investment Regulatory Organization (CIRO) at with our fresh look and feel.

The following sections of the legacy and sites have been migrated to

  • Enforcement
  • Hearings
  • Consultations
  • A unified member directory (Dealers We Regulate)
  • Advisor Report

We will continue moving items off MFDA and IIROC in 2024. Stay tuned for future updates.