Written By Jordan Fremont, Ruth Promislow and Michael Whitt

OSFI, the Canadian Federal Office of the Superintendent of Financial Institutions, on August 13, 2021, issued new guidance on Technology and Cyber Security Incident Reporting, replacing prior guidance of March 2019.

The new guidance steps up and clarifies reporting requirements by Federally Regulated Financial Institutions (FRFI's) in the event of technology or cybersecurity incidents which affect their operations. Federally Regulated Financial Institutions includes, for example: banks, federally incorporated or registered trust and loan companies, insurance companies and pension plans subject to federal oversight. It does not otherwise include guidance on OSFI's expectations for incident response management. Simultaneously, OSFI published a self-assessment memo for use by FRFI's dealing with preparedness, updating prior guidance from 2013.

For the guidance's purposes, "technology or cybersecurity incident" is defined as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.

"A reportable incident may have any one or more of the following characteristics:

• Impact has potential consequences to other FRFIs or the Canadian financial system;
• Impact to FRFI systems affecting financial market settlement, confirmations or payments (e.g., Financial Market Infrastructure), or impact to payment services;
• Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information;
• Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity;
• Operational impact to key/critical systems, infrastructure or data;
• Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI;
• Operational impact to internal users, and that poses an impact to external customers or business operations;
• Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure);
• Impact to a third party affecting the FRFI;
• A FRFI's technology or cyber incident management team or protocols have been activated;
• An incident that has been reported to the Board of Directors or Senior/Executive Management;
• A FRFI incident has been reported to:
  • the Office of the Privacy Commissioner;
  • another federal government department (e.g., the Canadian Center for Cyber Security);
  • other local or foreign supervisory or regulatory organizations or agencies;
  • any law enforcement agencies;
  • has invoked internal or external counsel
• A FRFI incident for which a Cyber insurance claim has been initiated;
• An incident assessed by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI's internal assessment; or
• Technology or cyber security incidents that breach internal risk appetite or thresholds.
• For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution."

A list of reportable examples is also provided in the guidance.

Initial notification must be made in writing (electronic to OSFI's Technology Risk Division as well as the FRFI's lead supervisor at OSFI within 24 hours, or sooner if possible). OSFI provides template notification and fact-reporting forms along with the Guidance.

OSFI expects to remain updated by the affected FRFI regularly until all details about the incident have been provided, including reports of remediation actions and plans, post-incident analyses and lessons learned.

Failure to report fully or timely may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.

While OSFI standards require compliance by Federally Regulated Financial Institutions, they also provide a bellwether for other industries' reasonable security standards. In some sense, the raising of the bar with respect to cybersecurity in a variety of industrial regulatory settings also tends to raise the bar for unregulated and adjacent industries in that the expectations of what is a reasonable response to a data security incident can be elevated. The guidance document is mandatory for FRFI's but may also be instructive for other industries. 

A member of the Bennett Jones Cybersecurity group or any of the authors would be pleased to assist you with any questions or concerns.