CIRO Cybersecurity Incident Update

This memo is to provide an update on the recent cybersecurity incident involving the Canadian Investment Regulatory Organization (CIRO). 
 
CIRO has confirmed that a limited subset of registration data—less than 0.5% of its total data—was impacted. The affected information includes personal and professional details of mutual fund and investment dealer firms and individuals, such as names, addresses, birth details, and certain financial and disclosure data. It is important to note that Social Insurance Numbers and payment information were not compromised. Please also note that the NRD system itself was not breached, and CIRO has already reported the incident to the appropriate privacy regulators.  

Confirmed findings from CIRO’s investigation
CIRO activated its incident response protocols and engaged cybersecurity experts, including CrowdStrike. The investigation confirmed:

• No active threat has been detected since systems were contained on August 11.
• The point of entry and scope of the attack were identified through forensic analysis.
• No malware, including encryption software, was found.
• No data was manipulated or deleted.

Technical remediation actions taken
CIRO has implemented several technical measures to secure its systems:

• Affected systems were replaced and underwent full security reviews.
• Impacted user accounts and software were deleted.
• Additional security software was deployed across all machines.
• System backups were verified for integrity.
• All login credentials for CIRO staff and service providers were reset.
• Dark web monitoring was activated, with no indication that copied data has been sold or shared.
  
  

For more detailed information, please refer to the following documents: 

• FAQs – CIRO Registration Data
• System Restoration, Investigation Findings, and Compliance Guidance
  
  

Communication with impacted individuals 
Starting next week, CIRO will begin contacting affected individuals via email or mail, using the contact details provided in the National Registration Database (NRD). Impacted individuals will be offered two years of free credit monitoring and identity theft protection through TransUnion and Equifax. 
 
We appreciate your patience as CIRO works through this process. Notifications will be sent directly to affected individuals, and a dedicated support line will be available to address questions and concerns. 
  
We understand this situation may cause concern and appreciate your cooperation and vigilance. If you have any questions or require support, please reach out to the Compliance team. 

Additional resources

• CIRO Memo - Cybersecurity Threat
  
• CIRO Update on Recent System Outages
• Cybersecurity Best Practices Guide