Technology and Cybersecurity Incident Reporting
Written By Michael Whitt Q.C.
The Office of the Superintendent of Financial Institutions (OSFI) Canada has published an Advisory of application to all federally regulated financial institutions (FRFI) setting out the expectations of the regulator with respect to “incident reporting requirement”, and points to a prior 2013 guidance document on OSFI’s Cyber Security Self-Assessment.
A technology or cybersecurity incident is defined as an incident which has the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of the FRFI’s systems and information. When such an incident occurs, and has a high or critical severity level, the incident should be reported to OSFI within 72 hours of a good faith determination that the incident has met these thresholds.
The Advisory lays out a framework for the details to be included in the initial and subsequent reporting to OSFI, and guidance on how incidents should be characterized.
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.
Bennett Jones