On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) issued an Advisory on Technology and Cyber Security Incident Reporting.
The Advisory sets out OSFI's expectations for reporting technological and cyber security incidents. These expectations apply to all federally regulated financial institutions (FRFIs) – including banks, federal trust companies and insurance companies.
The Advisory reflects the fact that OSFI is very focussed on technological and cyber security issues. Advancements in information technology and digitization make this an increasingly significant area of risk. OSFI clearly wants to be kept very informed of material incidents. OSFI expects to receive an initial notification, including significant details, within 72 hours, and to receive frequent updates after that until the incident is resolved. Note that while the Advisory addresses reporting requirements, it does not address OSFI's expectations for an incident management framework.
The Advisory comes into effect on March 31, 2019 and will supersede any prior instructions for technology and cyber security incident reporting. In the meantime, FRFIs are expected to continue reporting any major incidents in accordance with previous instructions communicated to them.
Criteria for Reporting
The Advisory states that Technology or Cyber Security Incidents assessed by a FRFI to be of a high or critical severity level should be reported to OSFI. Incident materiality should be defined in a FRFI's incident management framework.
The Advisory lists characteristics that a reportable incident may have, including the following
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data;
- Significant levels of system/service disruptions;
- Extended disruptions to critical business systems/operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent;
- Material impact to critical deadlines/obligations in financial market settlement or payment systems;
- Material consequences to other FRFIs or the Canadian financial system and;
- The incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
The Advisory also contains an Appendix that provides examples of reportable incidents (cyber-attack, service availability and recovery, third party breach and extortion threat).
Initial Notification Requirements
A FRFI must notify OSFI after determining a Technology or Cyber Security Incident meeting the characteristics set out in the Advisory has occurred as promptly as possible, and within 72 hours. This report is to include significant details, including the following:
• Date and time the incident was assessed to be material;
• Date and time/period the incident took place;
• Incident severity;
• Incident type;
• Incident description, including:
• known direct/indirect impacts including privacy and financial;
• known impact to one or more business segment, business unit, line of business or regions, including any third party involved;
• whether incident originated at a third party, or has impact on third party services, and
• the number of clients impacted.
• Current status of incident;
• Date for internal incident escalation to senior management or Board of Directors;
• Mitigation actions taken or planned; and
• Known or suspected root cause.
Subsequent Reporting Requirements
OSFI expects FRFIs to provide regular (e.g., daily) updates as new information becomes available. OSFI expects to receive updates, including any short term and long term remediation actions and plans, until the incident is contained/resolved.
OSFI ultimately expects to receive a report on the FRFI's post incident review and lessons learned.