• Deborah

On August 13, The Office of the Superintendent of Financial Institutions (OSFI) released its updated Advisory providing guidance on how federally regulated banks, insurance companies, and credit unions — Federally Regulated Financial Institution (FRFI) — should disclose and report technology and cyber security incidents.

A technology or cyber security incident being defined as a ‘an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information’.

The updated Advisory requires that a technology or cyber security incident be reported to OSFI in writing within 24 hours, or sooner, if possible, compared to the previous requirement to report such incident “as promptly as possible, but no later than 72 hours”.

The updated Advisory also expands the list of characteristics that a technological or cyber security incident should meet in order to be reported to OSFI.

An incident should have one or more the following characteristics:

  • Impact has potential consequences to other FRFIs or the Canadian financial system;

  • Impact to FRFI systems affecting financial market settlement, confirmations or payments

  • Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information

  • Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity

  • Operational impact to key/critical systems, infrastructure or data

  • Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third-party vendor that impacts the FRFI

  • Operational impact to internal users, and that poses an impact to external customers or business operations

  • Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure)

  • Impact to a third party affecting the FRFI

  • A FRFI’s technology or cyber incident management team or protocols have been activated

  • An incident that has been reported to the Board of Directors or Senior/Executive Management

  • A FRFI incident has been reported to the Office of the Privacy Commissioner, another federal government department (e.g., the Canadian Center for Cyber Security), other local or foreign supervisory or regulatory organizations or agencies etc.

  • An incident assessed by a FRFI to be of a high or critical severity, level or rank

  • Priority/Severity/Tier 1 or 2 based on the FRFI’s internal assessment

  • Technology or cyber security incidents that breach internal risk appetite or thresholds

  • For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.

The Advisory does not include OSFI’s expectations for an incident management framework.

Recent Posts

See All

01/06/2022 - Effective date of Amendments to National Instrument 81-105 Mutual Fund Sales Practices and Related Consequential Amendments relating to prohibition of deferred sales charges for investmen

According to the CFA Institute, the most common definition of a derivative is that it is “a financial instrument that derives its performance from the performance of an underlying asset.’’ There are t