On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) released a Technology and Cybersecurity Incident Reporting Advisory (Advisory) that creates new incident reporting obligations applicable to all FRFIs, effective as of March 31, 2019.
Under the Advisory, the new reporting obligations apply to technology or cyber security incidents that materially impact the normal operations of the FRFI, including incidents that affect the confidentiality, integrity or availability of the FRFI’s systems and information. Incident materiality is to be defined by the FRFI’s incident management framework.
High or critical severity incidents are to be reported to the OSFI “as promptly as possible”, but no later than 72 hours after determining that a technology or cyber security incident meets the incident characteristics in the Advisory . FRFIs are expected to notify both their Lead Supervisor as well as the OSFI 's Technology Risk Division at TRD@osfi-bsif.gc.ca. All incident reports made to the OSFI must be in writing.
For more information, please refer to the Advisory here.
Summary By: Jae S. Morris