The Canadian Investment Regulatory Organization (CIRO) says it temporarily disabled several internal platforms after discovering what it described as a cybersecurity threat on 11 August.

The self-regulatory body, which oversees investment dealers, mutual fund dealers and trading activity in Canada’s debt and equity markets, reported that critical market-surveillance functions remained operational throughout the shutdown. However, a preliminary inquiry suggests that personal data belonging to member firms and their registered employees may have been exposed.

“Given the high standard of security that CIRO expects of both itself and its members, we are deeply concerned about this, and know our members will be too,” the organisation said in a written statement published by Finextra.

Sean Hamilton, CIRO’s director of corporate communications and public affairs, told Investment Executive that the watchdog is “actively investigating what information was affected” and will notify any individuals put at risk. Hamilton added that the regulator plans to offer free credit-monitoring and identity-theft protection services to those impacted.

CIRO became operational last year through the merger of the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association of Canada. The incident represents the first publicly disclosed cyber event since the consolidation, underscoring the challenges financial regulators face in protecting increasingly complex data environments.

In its statements, the watchdog said it is working with external cybersecurity consultants, legal advisers and law-enforcement agencies. Some non-critical systems remain offline while forensic specialists determine the scope of the breach and restore services incrementally.

Security analysts note that self-regulatory organisations hold large volumes of sensitive information, making them attractive targets for threat actors. At the same time, they play a crucial role in maintaining market integrity, so any disruption can raise concerns about oversight continuity.

CIRO stressed that its real-time equity market surveillance was unaffected, and that no active threat persists on its core infrastructure. Updates will be provided to member firms through email bulletins and the regulator’s website as the investigation progresses.

The organisation has not disclosed how many firms or individual registrants could be affected, nor has it provided a timeline for the full reinstatement of all services.

---