Skip Navigation

OSFI Issues Stricter Reporting Requirements for Technology and Cybersecurity Incidents

OSFI Issues Stricter Reporting Requirements for Technology and Cybersecurity Incidents
By  Ellie Marshall, Ora Morison and Sam Mitchell (Articling Student)
August 20, 2021

On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) issued a new advisory on Technology and Cyber Security Incident Reporting (2021 Advisory). The 2021 Advisory replaces OSFI’s guidance from 2019 (2019 Advisory) on how and when federally regulated financial institutions (FRFIs) are required to notify OSFI about technology or cybersecurity incidents.

The 2021 Advisory defines a technology or cybersecurity incident as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information. Whether a technology or cybersecurity incident must be reported to OSFI depends on the FRFI’s determination of whether the incident meets OSFI’s criteria for reporting.

In general, the 2021 Advisory significantly broadens the scope of reportable incidents from those with “material” or “significant operational” impact (the reporting threshold under the 2019 Advisory) to now include incidents with any impact to operations. For instance, under the 2021 Advisory, a FRFI must report all incidents where its technology or cyber incident protocols are activated or where the incident has been reported to the board.

REPORTABLE INCIDENTS

The 2021 Advisory emphasizes that a reportable incident may have “any one or more” characteristics from OSFI’s updated list. FRFIs are expected to define priority and severity levels within their incident management frameworks. If they are in doubt about whether to report an incident, they should consult their OSFI lead supervisor.

The updated characteristics of a reportable incident are as follows:

  • Potential consequences to other FRFIs or the Canadian financial system

  • Impact to FRFI systems affecting financial market settlement, confirmations or payments (such as financial market infrastructure), or impact to payment services

  • Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information

  • Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity

  • Operational impact to key/critical systems, infrastructure or data

  • Activation of disaster recovery teams or plans, or disaster declaration made by a third-party vendor that impacts the FRFI

  • Operational impact to internal users and potential impact to external customers or business operations

  • Increase in number of external customers impacted; negative reputational impact imminent (such as public and/or media disclosure)

  • Impact to a third party affecting the FRFI

  • Activation of an FRFI's technology or cyber incident management team or protocols

  • An incident reported to the board of directors or senior/executive management

  • An FRFI incident reported to:

    • The Office of the Privacy Commissioner

    • Another federal government department (such as the Canadian Centre for Cyber Security)

    • Other local or foreign supervisory or regulatory organizations or agencies

    • Any law enforcement agencies

    • Internal or external counsel

  • Initiation of an FRFI cyber-incident insurance claim

  • An incident assessed by an FRFI to be of a high or critical severity, level or ranked priority/severity/tier one or two based on the FRFI's internal assessment, or

  • Incidents that breach internal risk appetite or thresholds

Like the previous guidance, the 2021 Advisory includes a non-exhaustive list of examples of reportable incidents.
 
If an FRFI is uncertain whether to report an incident, or where an incident does not align with or contain the above specific criteria, the 2021 Advisory encourages notification as a precaution.

REPORTING GUIDELINES

Under the 2021 Advisory, a reportable incident must be within 24 hours or sooner, if possible, whereas the 2019 Advisory required a response within 72 hours or sooner. Such a report must be in writing and made to OSFI’s Technology Risk Division and the FRFI’s lead supervisor using the new reporting form template.

The guidance relating to subsequent reporting has not changed since the 2019 Advisory. OSFI expects updates on the incident to be provided as new information becomes available. After the incident is contained, a post-incident review and lessons learned should follow.

CONSEQUENCES OF FAILING TO REPORT

The 2021 Advisory also contains new guidance on the consequences of failing to report an incident that may include increased supervisory oversight by way of enhanced monitoring, watch-listing or staging of the FRFI according to OSFI’s formal supervisory intervention process to identify and mitigate risks associated with a FRFI.

For further information, please contact:

Ellie Marshall                416-863-3053
Ora Morison                  416-863-2712

or any member of our Cybersecurity or Financial Services Regulatory groups.