• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 
Blog

Technology and Cybersecurity Incident Reporting: New Guidance from OSFI

January 31, 2019

Written by Ruth E. Promislow and Katherine Rusk

The Office of the Superintendent of Financial Institutions (OSFI) just published an advisory letter for federally regulated financial institutions (FRFI). The advisory sets out OSFI's expectations for FRFI cybersecurity incident reporting, gives examples of incidents that should be reported to OSFI, and sets out reporting requirements. It will become effective March 31, 2019.

What Is a Technology or Cybersecurity Incident?

For the purpose of the advisory, a technology or cybersecurity incident is defined "to have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information."

When Does a Technology or Cybersecurity Incident Have to Be Reported to OSFI?

The following characteristics may make an incident reportable:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system / service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • An FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Some examples of reportable incidents include:

  • Account takeover botnet targeting online services using new techniques; current defences are failing to prevent customer account compromise;
  • Technology failure at data centre;
  • A material third party is breached; or
  • FRFI has received an extortion message threatening to perpetrate a cyber attack.

How, What, and When must an FRFI report?

A FRFI must notify its Lead Supervisor and TRD@osfi-bsif.gc.ca as promptly as possible, but no later than 72 hours after determining that an incident is reportable.

The advisory sets out a list of specific information that must be included in the initial report, such as a description of the incident that covers the date and time, type, severity, direct and indirect impacts, origination, number of clients impacted, root cause, current status, and mitigation steps taken.

OSFI also expects FRFIs to provide regular updates as new information becomes available, and until all material details about the incident have been provided. Finally, the FRFI will also need to send a post-incident review and "lessons learned" report to OSFI after the incident is closed.

Pre-Incident Preparations

FRFIs should incorporate the requirements of the advisory into their Incident Response Plan. Testing how the organization would react to a reportable incident (through a tabletop exercise or other simulation) is a key component to ensuring that when an attack happens, the FRFI is ready to comply with its obligations. In advance of an attack, FRFIs should also consider how the reporting obligations under this advisory may impact other regulatory reporting and notification obligations.

If you would like further information or advice in respect of this advisory, or in respect of other cybersecurity matters, please contact Ruth Promislow or Kate Rusk.

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Read the New Energy Economy Series

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

The Rise of ESG Bonds in Corporate Financing

March 02, 2021
       

Blog

Another Reminder of the Low Bar for Class Action Certification [...]

March 01, 2021
       

Blog

Are Gun Manufacturers Liable for Mass Shootings?

March 01, 2021
       

Blog

Evidence of Harm Required To Advance Class Action Following Data Breach

February 24, 2021
       

Blog

Site Rehabilitation Program Periods 5 and 6 Further Expand Program Scope

February 22, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021. All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones