Blog

Defending Against Ransomware: OSFI Updated Advisory on Cyber Incident Reporting

March 14, 2022

Close

Written By Ruth Promislow, Simon Grant and Fatima Kawar

Ransomware continues to present an increasing risk to all organizations. Ransomware attacks can involve the installation of malicious software designed to block access to computer systems and/or steal data, and a corresponding extortion demand for a ransom fee. The threat and impact of these attacks has grown dramatically as a result of the following:

The rising threat of ransomware and the role of financial sector entities in the fight against ransomware has been highlighted by recent government advisories in Canada and the United States, which are summarized below. Specific guidance is provided to federally-regulated financial institutions (FRFIs) which requires a comprehensive review of existing policies and protocols to ensure compliance, as well as preparedness for this risk.

Canadian Guidance and Requirements

The Office of the Superintendent of Financial Institutions (OSFI) in Ottawa recently released an updated advisory that imposes enhanced requirements on how FRFIs should disclose and report technology and cyber security incidents. The updated Technology and Cyber Security Incident Reporting Advisory (the Updated OSFI Advisory) supersedes the initial advisory which was released in January 2019 (the 2019 OSFI Advisory) and summarized in our previous insight, Technology and Cybersecurity Incident Reporting: New Guidance from OSFI.

Criteria for Reporting in Canada

The Updated OSFI Advisory provides significant changes to the criteria of a reporting incident:

Some examples of characteristics which trigger a reporting obligation include:

The following is a list of newly added characteristics which trigger a reporting obligation: 

Reporting Requirements in Canada

The Updated OSFI Advisory includes changes to the reporting requirements:

Failure to Report

The Updated OSFI Advisory sets out new potential consequences for FRFIs failure to report a technology or cybersecurity incident.

Other Guidance for Canadian Organizations

In an open letter dated December 6, 2021, the Canadian Ministers of National Defence, Public Safety, Emergency Preparedness and International Trade, Export Promotion, Small Business and Economic Development reviewed the significant rise of ransomware threats and offered guidance to curb this trend. The Ministers refer to a cyber-threat bulletin and a ransomware playbook recently published by the Canadian Centre for Cyber Security as guidance for best practices to protect against cyber threats.

United States Advisories

The United States Department of the Treasury Financial Crimes Enforcement Network (FinCEN) issued a new advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments in November 2021 replacing FinCEN's October 2020 guidance. In this new advisory, FinCEN highlighted the increased frequency and severity of ransomware attacks against critical U.S. infrastructure. This trend pattern (as noted in the Financial Trend Analysis report issued by FinCEN on October 15, 2021) was derived from financial institutions' Suspicious Activity Reports. Between January 1, 2021 and June 30, 2021, 635 SARs were filed and 458 transactions were reported, which shows an increase of 30 percent from the total of 487 SARs filed for the entire 2020 calendar year.

Takeaways

FRFIs should be vigilant in ensuring that they have robust risk-management frameworks and corresponding policies and procedures in place to prepare for ransomware attacks and corresponding compliance obligations. Preparation includes:

Compliance for financial organizations involves regular review and renewal of their risk management strategy. The Bennett Jones Cybersecurity and Financial Services groups would be pleased to assist. 

Authors

Related Links



View Full Mobile Experience