On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) issued an updated Technology and Cyber Security Incident Reporting Advisory (Advisory) governing the requirements for federally regulated financial institutions (FRFIs) in Canada to report technology and cyber security incidents to OFSI. OSFI is an independent federal government agency that regulates and supervises FRFIs, including all banks, insurance companies and federally incorporated or registered trust and loan companies.
The Advisory replaces OFSI’s 2019 advisory and mandates stricter reporting requirements on FRFIs. First, the Advisory defines a technology or cyber security incident as “an incident that has an impact, or the potential to have an impact, on the operations of an FRFI, including its confidentiality, integrity or the availability of its systems and information”. This definition replaces the one in the 2019 advisory that was aimed at an incident that has the potential to, or been assessed to, materially impact the normal operations of an FRFI.
Second, the Advisory requires FRFIs to report to OSFI any technology or cyber security incident within 24 hours, or sooner if possible. This changes significantly the threshold and timing of reporting compared to the 2019 advisory, where incidents assessed by an FRFI to be of high or critical severity level were to be reported to OSFI within 72 hours. The information to be reported is listed on the new Incident Reporting and Resolution Form included with the Advisory.
Lastly, the Advisory introduces new consequences on an FRFI for failure to report to OFSI where an FRFI could be subject to increased supervisory oversight by OSFI, including but not limited to enhanced monitoring activities, watch-listing or staging of an FRFI.
Concurrently with the Advisory, OFSI also released an updated Cyber Security Self-Assessment tool to assist FRFIs assess their level of cyber preparedness and develop cyber security practices. As the Advisory is now in effect, FRFIs should be reviewing and updating their cyber security incident response processes to comply with OSFI’s new reporting requirements.
Summary By: Anna Troshchynsky
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.