Incident Reporting Summary

Information sharing is an essential tool for mitigating cyber threats, particularly in a rapidly evolving threat landscape. In April 2018, IIROC proposed rules to require mandatory reporting of a cybersecurity incident by Dealer Members (Dealers) to IIROC. We expect Dealers will benefit from the prompt reporting of cybersecurity incidents. When IIROC receives notice of an incident it can move quickly to assist the affected Dealer(s) and, when necessary, inform other Dealers of current cyber threats, thereby helping to manage the impact on Dealers as well as investors.

We recently implemented IIROC Rule 3703 requiring the mandatory reporting of cybersecurity incidents by Dealers to IIROC. We also issued guidance in the form of frequently-asked questions to assist Dealers.

Welcome to!

We have a new look! You can find the Canadian Investment Regulatory Organization (CIRO) at with our fresh look and feel.

You can now find new publications published by CIRO since January 1, 2023 on If you are looking for past notices or bulletins published by MFDA or IIROC, you can find those on our legacy websites. Enforcement related content will continue on those websites as well.

You can now find previous Annual Reports and Enforcement Reports on, along with Halts and Resumption, and our ePublications sign up (for all previous MFDA and IIROC subscriber lists).

We will continue moving items off MFDA and IIROC in 2023/2024. Stay tuned for future updates.