Investment industry regulator begins notifying member firms, advisers about data breach

Investment firms, financial advisers and other market registrants are now getting notified that their personal information was accessed last month during a data breach at their industry regulator.

The Canadian Investment Regulatory Organization confirmed in an e-mail to The Globe and Mail that registration information of its member firms and registered individuals was breached on Aug. 11.

“While we have no evidence that this information has been misused, out of an abundance of caution, we are contacting all registered individuals and are offering free credit monitoring and identity theft protection services for a period of two years with both TransUnion and Equifax,” CIRO spokesperson Sean Hamilton said in a statement.

How to keep your money safe from hackers

CIRO – a self-regulatory organization that oversees all investment dealers and mutual fund dealers, as well as all trading activity on Canada’s debt and equity marketplaces – has more than 100,000 financial advisers as registered members across Canada.

Last month, CIRO identified a cybersecurity threat and, as a precaution, “proactively” shut down some of its systems to ensure their safety and immediately started an investigation.

CIRO said the information that could have been accessed included personal names, residential addresses, email addresses and telephone numbers, as well as birth dates and places of birth. Bank account numbers could have been breached if they were included as part of a financial solvency disclosure, as well as investment and beneficiary information, if included as part of disclosures about ownership in securities and derivatives.

Other details that may have been accessed include civil and criminal disclosures, investigation notes and passport information for non-Canadian citizens.

CIRO confirmed that social insurance numbers and credit card or payment information were not disclosed in the breach.

Mr. Hamilton said throughout the shutdown, critical functions remained available and CIRO’s real-time equity market surveillance operations continue as normal, with no active threat in CIRO’s systems.

“It is important to note that Canadians’ investments are not at risk,” Mr. Hamilton added.

New CIRO guidance proposes broader support for DIY investors

CIRO says it only receives information about a sample of investors through its member compliance functions. If the investigation reveals that any investor’s information was affected, CIRO will notify them immediately and provide risk mitigation services.

CIRO was formed in 2023 through the amalgamation of the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association of Canada. The self-regulatory organization is responsible for the supervision of about 90 mutual fund distributors and 170 investment dealers.