top of page
  • Writer's pictureDeborah

On August 13, The Office of the Superintendent of Financial Institutions (OSFI) released its updated Advisory providing guidance on how federally regulated banks, insurance companies, and credit unions — Federally Regulated Financial Institution (FRFI) — should disclose and report technology and cyber security incidents.

A technology or cyber security incident being defined as a ‘an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information’.

The updated Advisory requires that a technology or cyber security incident be reported to OSFI in writing within 24 hours, or sooner, if possible, compared to the previous requirement to report such incident “as promptly as possible, but no later than 72 hours”.

The updated Advisory also expands the list of characteristics that a technological or cyber security incident should meet in order to be reported to OSFI.

An incident should have one or more the following characteristics:

  • Impact has potential consequences to other FRFIs or the Canadian financial system;

  • Impact to FRFI systems affecting financial market settlement, confirmations or payments

  • Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information

  • Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity

  • Operational impact to key/critical systems, infrastructure or data

  • Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third-party vendor that impacts the FRFI

  • Operational impact to internal users, and that poses an impact to external customers or business operations

  • Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure)

  • Impact to a third party affecting the FRFI

  • A FRFI’s technology or cyber incident management team or protocols have been activated

  • An incident that has been reported to the Board of Directors or Senior/Executive Management

  • A FRFI incident has been reported to the Office of the Privacy Commissioner, another federal government department (e.g., the Canadian Center for Cyber Security), other local or foreign supervisory or regulatory organizations or agencies etc.

  • An incident assessed by a FRFI to be of a high or critical severity, level or rank

  • Priority/Severity/Tier 1 or 2 based on the FRFI’s internal assessment

  • Technology or cyber security incidents that breach internal risk appetite or thresholds

  • For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.

The Advisory does not include OSFI’s expectations for an incident management framework.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page