On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) issued an Advisory setting out OSFI’s expectations for federally regulated financial institutions regarding the prompt (within 72 hours) reporting of “high or critical severity” technology and cybersecurity incidents. The Advisory will be effective on March 31, 2019.

OSFI and Cybersecurity

OSFI is an independent Canadian federal government agency that regulates and supervises federally regulated financial institutions (FRFIs), including all banks in Canada and all federally incorporated or registered trust and loan companies, insurance companies, cooperative credit associations, fraternal benefit societies and private pension plans subject to federal oversight.

Over the past few years, OSFI has emphasized the importance of cybersecurity and issued guidance to help FRFIs implement appropriate policies and practices to manage cyber risks and effectively respond to cyber incidents. OSFI’s Cyber Security Self-Assessment Guidance (2013) explains that a FRFI’s senior management should regularly review the FRFI’s cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks, and that a FRFI’s board of directors (or board committee) should regularly review and discuss the FRFI’s cyber risk management practices. The Guidance includes a detailed questionnaire focusing on six key issues: (1) organization and resources; (2) cyber risk and control assessment; (3) situational awareness; (4) threat and vulnerability risk management; (5) cybersecurity incident management; and (6) cybersecurity governance. For more information, see the BLG bulletins Regulatory Guidance for Cyber Risk Self-Assessment (2013) and Cyber-Risk Management Guidance from Financial Institution Regulators (2015).

OSFI’s 2018-19 Departmental Plan explains that OSFI intends to re-examine “OSFI’s role in, and approach to, enhancing cyber security at Canadian financial institutions” and to assess its options for “overseeing the management of cyber risk by financial institutions”.

The Advisory

OSFI’s Advisory on Technology and Cyber Security Incident Reporting applies to all FRFIs, and sets out OSFI’s expectations for FRFIs regarding the reporting of “Technology and Cyber Security Incidents” affecting FRFI operations. The Advisory will be effective on March 31, 2019, and will supersede all prior instructions from OSFI for technology and cybersecurity incident reporting. The Advisory does not supersede OSFI’s Cyber Security Self-Assessment Guidance.

Key Definition — Technology or Cyber Security Incident

The Advisory defines “Technology or Cyber Security Incident” as an incident that has “the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The Advisory explains that “materiality” should be defined by the FRFI in its “incident management framework”, which are a required set of policies/procedures detailed in OSFI’s Cyber Security Self-Assessment Guidance. The Advisory explains that a FRFI should consult its OSFI Lead Supervisor if the FRFI is in doubt about the materiality of an incident.

Criteria for Reporting

The reporting requirements set out in the Advisory apply to Technology or Cyber Security Incidents assessed by a FRFI to be of a “high or critical severity level”. The Advisory does not define “high or critical severity”, but explains that a reportable incident may have any of the following characteristics:

  • Significant operational impact to key/critical information systems or data.
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data.
  • Significant operational impact to internal users that is material to customers or business operations.
  • Significant levels of system/service disruptions.
  • Extended disruptions to critical business systems/operations.
  • Number of external customers impacted is significant or growing.
  • Negative reputational impact is imminent (e.g. public/media disclosure).
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems.
  • Significant impact to a third party deemed material to the FRFI.
  • Material consequences to other FRFIs or the Canadian financial system.
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

The Advisory provides examples of reportable incidents — cyber attack, service availability incident, third- party breach and extortion threat, each with actual or potential material impacts on the FRFI or its customers.

Initial Reporting Requirements

A FRFI must submit an initial written report to both its OSFI Lead Supervisor and OSFI’s Technology Risk Division (by email) as promptly as possible, but no later than 72 hours after determining that a Technology or Cyber Security Incident must be reported.

The initial report must include detailed information (specified in the Advisory) about the incident, to the extent the information is known or best estimated, including: a description of the incident and its impacts (including privacy and financial) on the FRFI, its clients and third parties; the current status of the incident; the date for internal incident escalation to senior management or the board of directors; actions taken or planned to mitigate the incident; the known or suspected root cause of the incident; and the name and contact information for the FRFI incident executive lead and liaison with OSFI.

Subsequent Reporting Requirements

OSFI expects FRFIs to provide subsequent updates on a regular basis (e.g. daily) as new information becomes available and until all relevant details about the incident have been provided to OSFI. OSFI may request that a FRFI change the method and frequency of the updates. OSFI also expects FRFIs to provide situation updates, including short- term and long- term remediation actions and plans, until the incident is contained/resolved. In addition, after incident containment, recovery and closure, OSFI expects the FRFI to report on the FRFI’s post- incident review and lessons learned.

Comment – Preparing For Compliance

The incident reporting obligations set out in the Advisory apply in a much wider range of circumstances than breach reporting and notification obligations under Canadian personal information protection laws, due to the broad definition of “Technology or Cyber Security Incident”. The Advisory indicates that an incident may be reportable if the incident has been reported to the Office of the Privacy Commissioner.

The incident reporting obligations set out in the Advisory are similar to the cybersecurity incident reporting obligations for Canadian investment dealers proposed (but not yet finalized) by the Investment Industry Regulatory Organization of Canada. See BLG bulletin Canadian Investment Industry Regulator Proposes Mandatory Cybersecurity Incident Reporting.

The Advisory will soon come into force. Consequently, FRFIs should now begin assessing and improving their systems, policies and procedures, and designating and training required personnel (both internal employees and external advisors), so that they are able to promptly submit incident reports in compliance with the Advisory. Following are some suggestions:

Authors

Bradley J. Freedman 
BFreedman@blg.com
604.640.4129

François Joli-Coeur 
FJoliCoeur@blg.com
514.954.3144

Expertise

Cybersecurity