On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) released a Technology and Cybersecurity Incident Reporting Advisory (Advisory) that creates new incident reporting obligations applicable to all FRFIs, effective as of March 31, 2019.

Under the Advisory, the new reporting obligations apply to technology or cyber security incidents that materially impact the normal operations of the FRFI, including incidents that affect the confidentiality, integrity or availability of the FRFI’s systems and information. Incident materiality is to be defined by the FRFI’s incident management framework.

High or critical severity incidents are to be reported to the OSFI “as promptly as possible”, but no later than 72 hours after determining that a technology or cyber security incident meets the incident characteristics in the Advisory . FRFIs are expected to notify both their Lead Supervisor as well as the OSFI 's Technology Risk Division at TRD@osfi-bsif.gc.ca. All incident reports made to the OSFI must be in writing.

For more information, please refer to the Advisory here.

Summary By: Jae S. Morris


19 02 06

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.