Compliance with IIROC’s Cybersecurity Incident Reporting Requirements

Type: Rules Notice> Notice of Implementation
Rule connection:
Distribute internally to:
Internal Audit
Legal and Compliance
Senior Management
Technology & Cybersecurity


Financial & Operations Compliance
Member Regulation Policy

IIROC is publishing guidance on subsection 3703(1) and clause 3703(2)(vii) of IIROC Rules (Cybersecurity Incident Reporting Requirements). The guidance outlines IIROC’s requirements related to the Cybersecurity Incident Reporting Requirements and also provides guidance to Dealer Members on how to demonstrate compliance with IIROC requirements.

The guidance will be effective immediately and replaces GN-3700-21-005 - Frequently Asked Questions – Mandatory Cybersecurity Incident Reporting.


Appendix A – GN-3700-22-001 Compliance with IIROC’s Cybersecurity Incident Reporting Requirements

MFDA and IIROC have consolidated

As of January 1, 2023 the MFDA and IIROC have come together as New Self-Regulatory Organization of Canada (New SRO).

New SRO has assumed the regulatory responsibilities of the MFDA and IIROC.

We have set up an interim website for updates and information related to the New SRO including:

  • Executive Management
  • Governance
  • New SRO Rules
  • Member Application
  • Investor Office and the Investor Advisory Panel
  • Information concerning mutual fund dealers registered in Québec
  • Complaints
  • Careers

Enforcement proceedings, membership lists, continuing education, investor education resources and any other information not set out above continue to reside on and