On January 17, 2022, the BC Financial Services Authority (BCFSA) issued a Discussion Paper on the reporting obligations for financial institutions with respect to information security (IS) incidents.  In the Discussion Paper, BCFSA is considering implementing new mandatory reporting obligations for financial institutions.

The Discussion Paper should be read in conjunction with the Information Security Guideline released by BCFSA on October 1, 2021 (the Guideline).  The Guideline includes expectations for financial institutions to report specified IS incidents.  However, evidence in other jurisdictions has shown that where IS incident reporting are only expectations, organizations have not been reporting these incidents to the applicable regulator.

Therefore, the proposed new reporting requirements for IS incidents would apply to all credit unions, insurance and trust companies authorized to do business in British Columbia, including extra-provincial companies with customers in British Columbia (collectively, financial institutions).  Under these new requirements, BCFSA is considering two classes of financial institutions: (1) B.C. incorporated financial institutions; and (2) extra-provincially incorporated financial institutions.  The reporting requirements will vary depending on the institution’s class.

BCFSA states that the objective of an “Information Security Incident Reporting Rule” would be to ensure that it “is aware of material IS incidents at financial institutions authorized to do business in the province.”  Financial institutions would be required to notify BCFSA in writing of a reportable IS incident as soon as possible and no later than 24 hours after the incident is identified.

BCFSA considers a reportable IS incident to include an incident “that has caused or has the potential to cause material harm to consumers, or financial or reputational damage to financial institutions or the financial services sector.”  Financial institutions would also be required to report to BCFSA any material incident reported to the financial institution by an outsourcing service provider.

Following notification of the IS incident to BCFSA (including completion of an incident report), under the new requirements, financial institutions would be required to provide BCFSA with regular updates. Once the incident has been resolved, financial institutions would also be required to report to BCFSA on its post-incident review, including lessons learned.

Penalties for non-compliance with the new reporting requirements may include an administrative penalty of up to $50,000 for a corporation or $25,000 for an individual. 

BCFSA is seeking responses and feedback from stakeholders by February 25, 2022.  The full discussion paper can be found here.

Summary By: Olalekan (Wole) Akinremi

E-TIPS® ISSUE

22 02 09

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.