On August 13, The Office of the Superintendent of Financial Institutions (OSFI) released its updated Advisory providing guidance on how federally regulated banks, insurance companies, and credit unions — Federally Regulated Financial Institution (FRFI) — should disclose and report technology and cyber security incidents.
A technology or cyber security incident being defined as a ‘an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information’.
The updated Advisory requires that a technology or cyber security incident be reported to OSFI in writing within 24 hours, or sooner, if possible, compared to the previous requirement to report such incident “as promptly as possible, but no later than 72 hours”.
The updated Advisory also expands the list of characteristics that a technological or cyber security incident should meet in order to be reported to OSFI.
An incident should have one or more the following characteristics:
Impact has potential consequences to other FRFIs or the Canadian financial system;
Impact to FRFI systems affecting financial market settlement, confirmations or payments
Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information
Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity
Operational impact to key/critical systems, infrastructure or data
Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third-party vendor that impacts the FRFI
Operational impact to internal users, and that poses an impact to external customers or business operations
Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure)
Impact to a third party affecting the FRFI
A FRFI’s technology or cyber incident management team or protocols have been activated
An incident that has been reported to the Board of Directors or Senior/Executive Management
A FRFI incident has been reported to the Office of the Privacy Commissioner, another federal government department (e.g., the Canadian Center for Cyber Security), other local or foreign supervisory or regulatory organizations or agencies etc.
An incident assessed by a FRFI to be of a high or critical severity, level or rank
Priority/Severity/Tier 1 or 2 based on the FRFI’s internal assessment
Technology or cyber security incidents that breach internal risk appetite or thresholds
For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.
The Advisory does not include OSFI’s expectations for an incident management framework.