3703. Reporting by a Dealer Member to IIROC

Or jump to a Series:

    1. For purposes of this section 3703, a “cybersecurity incident” includes any act to gain unauthorized access to, disrupt or misuse a Dealer Member’s information system, or information stored on such information system, that has resulted in, or has a reasonable likelihood of resulting in:

      1. substantial harm to any person

      2. a material impact on any part of the normal operations of the Dealer Member

      3. invoking the Dealer Member’s business continuity plan or disaster recovery plan, or

      4. the Dealer Member being required under any applicable laws to provide notice to any government body, securities regulatory authority or other self-regulatory organization.

    2. A Dealer Member must report to IIROC any of the following matters, within the time period and using the method prescribed by IIROC:

      1. all client complaints, against the Dealer Member or any current or former Approved Person, except service complaints. For the purpose of clause 3703(2)(i), a service complaint by a client is one that is related to service issues and is not the subject of any domestic or foreign securities laws

      2. whenever an internal investigation is commenced by the Dealer Member in accordance with section 3706,

      3. the results of the internal investigation under clause 3703(2)(ii),

      4. any time the Dealer Member, or a current or former Approved Person is subject to one of the following in any jurisdiction inside or outside of Canada, while in the employ of the Dealer Member or concerning matters that occurred while in the employ of the Dealer Member:

        1. charged with, convicted of, plead guilty or no contest to, any criminal offence, 

        2. named as a defendant or respondent in, or is the subject of, any proceeding or disciplinary action alleging contravention of any securities laws,

        3. named as a defendant or respondent in, or is the subject of any proceeding or disciplinary action alleging contravention of the requirements or policies of any regulatory or self‑regulatory organization, professional licensing or registration body, 

        4. denial of registration or license by any regulatory or self‑regulatory organization, professional licensing or registration body, or

        5. subject to a civil claim or arbitration notice involving any of the following:

          1. any matters related to securities,

          2. any matter related to handling of client accounts or dealings with clients, or

          3. any matter that is the subject of any legislation, rules, regulations, or policies  concerning securities, exchange contracts or financial services of any securities or financial services regulatory or self-regulatory organization in any jurisdiction, 

      5. the resolution of any matters set out in clause 3703(2)(iv),

      6. any internal disciplinary action that is taken by a Dealer Member against an Approved Person as a result of: 

        1. a client complaint within the meaning of clause 3703(2)(i),

        2. a securities related civil claim or arbitration notice,

        3. an internal investigation,

        4. a Dealer Member initiated disciplinary action imposing suspension, termination, demotion, or trading restrictions on the Approved Person, or

        5. a Dealer Member initiated disciplinary action not involving any of the matters listed in sub‑clauses 3703(1)(vi)(a) through 3703(1)(vi)(c), which results in a monetary penalty: 

          1. over $5,000 for a single occurrence, 

          2. over $15,000 in total in a calendar year, or 

          3. imposed three times or more in a calendar year, and

      7. any cybersecurity incident, in writing,
        1. within three calendar days from discovering a cybersecurity incident, and must include the following information: 
          1. a description of the cybersecurity incident
          2. the date on which or time period during which the cybersecurity incident occurred and the date it was discovered by the Dealer Member, 
          3. a preliminary assessment of the cybersecurity incident, including the risk of harm to any person and/or impact on the operations of the Dealer Member
          4. a description of immediate incident response steps the Dealer Member has taken to mitigate the risk of harm to persons and impact on its operations, and
          5. the name of and contact information for an individual who can answer, on behalf of the Dealer Member, any of IIROC’s follow-up questions about the cybersecurity incident
        2. within 30 calendar days, unless otherwise agreed by IIROC, from discovering a cybersecurity incident, and must include the following information:

          1. a description of the cause of the cybersecurity incident,

          2. an assessment of the scope of the cybersecurity incident, including the number of persons harmed and the impact on the operations of the Dealer Member,

          3. details of the steps the Dealer Member took to mitigate the risk of harm to persons and impact on its operations,

          4. details of the steps the Dealer Member took to remediate any harm to any persons, and

          5. actions the Dealer Member has or will take to improve its cybersecurity incident preparedness.

    There is no history log for this rule.

    There is no history log for this rule.