“It’s going to be a process.”
That’s what Andrew Kriegler, CEO of the Canadian Investment Regulatory Organization (CIRO), said about the ongoing regulatory response to CIRO’s August data breach. That response includes re-evaluating the types of data that the regulators collect, Kriegler said. At the end of the process, CIRO aims to be “best in class,” he said. Kriegler made the comments in mid-October at the annual conference of the Securities and Investment Management Association.
In the aftermath of the CIRO breach, which exposed personal information of registrants past and present, financial advisors are also undergoing a process — of ongoing credit monitoring and guarding against identity theft.
Advisors are hardly alone, however. The proportion of Canadians age 15 and older experiencing cybersecurity incidents — from unsolicited spam to fraudulent payment card use — increased to 70% in 2022 from 58% in 2020, according to the Canadian internet use survey sponsored by Innovation, Science and Economic Development Canada.
In 2021, the Canadian Anti-Fraud Centre issued a warning about increased identity-fraud reporting: “Fraudsters are using personal information about Canadians to apply for government benefits, credit cards, bank accounts, cell phone accounts or even take over social media and email accounts,” the centre says on its website. “It is important that Canadians take steps to secure their personal and financial information and know what to do when identity frau
Source: https://www.advisor.ca/industry-news/managing-identity-theft-risk-after-ciro-data-breach/
CIRO / OCRI cybersecurity rating report: https://www.rankiteo.com/company/ciro-canadian-investment-regulatory-organization
"id": "CIR1764857408",
"linkid": "ciro-canadian-investment-regulatory-organization",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Financial advisors '
'(registrants past '
'and present)',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Canadian Investment Regulatory '
'Organization (CIRO)',
'size': None,
'type': 'Regulatory Organization'}],
'customer_advisories': 'Financial advisors advised to undergo '
'credit monitoring and guard against '
'identity theft.',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal '
'information'},
'date_detected': '2023-08',
'description': 'CIRO experienced a data breach in August that '
'exposed personal information of registrants past '
'and present. The breach has led to ongoing '
'credit monitoring and identity theft risks for '
'financial advisors. The regulatory response '
'includes re-evaluating the types of data '
'collected by regulators.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal information of '
'registrants',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need to re-evaluate the types of data '
'collected by regulators to enhance security '
'and reduce exposure risks.',
'post_incident_analysis': {'corrective_actions': 'Re-evaluating '
'data '
'collection '
'practices',
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Implement stricter data collection policies '
'and enhance monitoring for identity theft '
'risks.',
'references': [{'date_accessed': '2023-10',
'source': 'Securities and Investment Management '
'Association Annual Conference',
'url': None},
{'date_accessed': None,
'source': 'Canadian Anti-Fraud Centre',
'url': 'https://www.antifraudcentre-centreantifraude.ca'},
{'date_accessed': None,
'source': 'Canadian Internet Use Survey '
'(Innovation, Science and Economic '
'Development Canada)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Re-evaluating types of '
'data collected',
'third_party_assistance': None},
'title': 'CIRO Data Breach',
'type': 'Data Breach'}