Technology and Cybersecurity Incident Reporting

Written by Michael Whitt Q.C.

The Office of the Superintendent of Financial Institutions (OSFI) Canada has published an Advisory of application to all federally regulated financial institutions (FRFI) setting out the expectations of the regulator with respect to “incident reporting requirement”, and points to a prior 2013 guidance document on OSFI’s Cyber Security Self-Assessment.

A technology or cybersecurity incident is defined as an incident which has the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of the FRFI’s systems and information. When such an incident occurs, and has a high or critical severity level, the incident should be reported to OSFI within 72 hours of a good faith determination that the incident has met these thresholds.

The Advisory lays out a framework for the details to be included in the initial and subsequent reporting to OSFI, and guidance on how incidents should be characterized.