On January 14, 2026, nearly six months after a major cyberbreach occurred, the Canadian Investment Regulatory Organization (CIRO) released a public statement providing guidance to the approximately 750,000 affected clients. While this guidance was clearly necessary, we question if investors could have been notified earlier so that they could take immediate steps to protect themselves. Such delays put investors at risk and erode confidence in a regulatory system that is supposed to be designed to protect them.
This incident also highlights concerns with how securities regulators collect, retain and store personal information. Securities regulators have access to personal and financial information of all investors. While it is essential to have such access in order to fulfill their regulatory mandate, any organization entrusted with that level of responsibility must adhere to the highest cybersecurity standards and practices.
The breach also raises questions about the Canadian Securities Administrators’ (CSA) oversight of CIRO. As a self-regulatory organization, CIRO is operating under delegated authority from the CSA. Shortly before the data breach, the CSA completed an oversight review of CIRO’s IT systems but did not identify any findings or weaknesses with CIRO’s cybersecurity practices. While an oversight review cannot reasonably be expected to identify all vulnerabilities and risks, this breach should at least prompt the CSA to re-examine its oversight approach of CIRO and remedy any potential shortcomings.
To restore investor confidence, we would like to hear from the CSA. We would like to know that the CSA is actively monitoring CIRO’s response to the breach, requiring CIRO to implement improved cybersecurity practices, reviewing and improving their own cybersecurity practices and reassessing their oversight program of CIRO. Investors must know that the primary regulator accountable to the public is fully engaged, transparent, and taking decisive steps to prevent similar incidents from occurring again.
FAIR Canada will continue to advocate for stronger investor protections and for an effective regulatory framework that prioritizes the interests of investors.