OSFI, the Canadian Federal Office of the Superintendent of Financial Institutions, on August 13, 2021, issued new guidance on Technology and Cyber Security Incident Reporting, replacing prior guidance of March 2019.
The new guidance steps up and clarifies reporting requirements by Federally Regulated Financial Institutions (FRFI's) in the event of technology or cybersecurity incidents which affect their operations. Federally Regulated Financial Institutions includes, for example: banks, federally incorporated or registered trust and loan companies, insurance companies and pension plans subject to federal oversight. It does not otherwise include guidance on OSFI's expectations for incident response management. Simultaneously, OSFI published a self-assessment memo for use by FRFI's dealing with preparedness, updating prior guidance from 2013.
For the guidance's purposes, "technology or cybersecurity incident" is defined as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.
"A reportable incident may have any one or more of the following characteristics:
A list of reportable examples is also provided in the guidance.
Initial notification must be made in writing (electronic to OSFI's Technology Risk Division as well as the FRFI's lead supervisor at OSFI within 24 hours, or sooner if possible). OSFI provides template notification and fact-reporting forms along with the Guidance.
OSFI expects to remain updated by the affected FRFI regularly until all details about the incident have been provided, including reports of remediation actions and plans, post-incident analyses and lessons learned.
Failure to report fully or timely may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.
While OSFI standards require compliance by Federally Regulated Financial Institutions, they also provide a bellwether for other industries' reasonable security standards. In some sense, the raising of the bar with respect to cybersecurity in a variety of industrial regulatory settings also tends to raise the bar for unregulated and adjacent industries in that the expectations of what is a reasonable response to a data security incident can be elevated. The guidance document is mandatory for FRFI's but may also be instructive for other industries.
A member of the Bennett Jones Cybersecurity group or any of the authors would be pleased to assist you with any questions or concerns.