New guidance from OSFI on technology and cybersecurity incident reporting

Cyber security continues to be a chief concern for Canadian regulators.

On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published the Technology and Cybersecurity Incident Reporting Advisory, which will apply to all federally regulated financial institutions (“FRFIs”) starting on March 31, 2019.

The Advisory is part of OSFI’s commitment to enhance cyber security at Canadian financial institutions as set out in its 2018-19 Departmental Plan. It is also a companion to OSFI’s Cyber Security Self-Assessment Guidance on incident prevention and management released back in 2013.

Stricter reporting requirements for cyber security incidents

The Advisory defines a technology or cyber security incident as an incident that has “the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”.

A FRFI that flags a technology or cyber security incident of a “high or critical severity level” must submit an initial written report to both its OSFI Lead Supervisor and OSFI's Technology Risk Division by email within 72 hours.

According to the Advisory, incidents of a “high or critical severity level” may have any of the following characteristics:

  • significant operational impact to key/critical information systems or data;
  • material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • significant operational impact to internal users that is material to customers or business operations;
  • significant levels of system/service disruptions;
  • extended disruptions to critical business systems/operations;
  • number of external customers impacted is significant or growing;
  • negative reputational impact is imminent (e.g. public/media disclosure);
  • material impact to critical deadlines/obligations in financial market settlement or payment systems;
  • significant impact to a third party deemed material to the FRFI;
  • material consequences to other FRFIs or the Canadian financial system;
  • a FRFI incident that has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Cyber attacks, service availability incidents, third-party breaches and extortion threats are all mentioned as examples of reportable incidents.

The Advisory also imposes subsequent reporting obligations, including short-term and long-term remediation plans and reporting on post-incident reviews and lessons learned.

Push towards stronger data protection measures

OSFI’s advisory reflects federal regulators’ continued focus on cyber security and data protection. Just over three months ago, new notification and record keeping requirements for data breaches were rolled out under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and apply to all private sector organizations that experience a security breach involving personal information under their control.

OSFI’s new reporting obligations are potentially broader than those under PIPEDA: they apply regardless of whether an incident involved personal information. For instance, a critical online system temporary failure that does not result in unauthorized access to personal information would still need to be reported to OSFI. Such an incident would not likely meet PIPEDA’s threshold for reporting or record keeping.

With the Advisory taking effect on March 31, FRFIs should be making arrangements to improve their systems, policies and procedures, and training personnel to be in compliance with OSFI’s new expectations.

FRFIs should also review third party contracts with service providers to ensure their compliance with the detailed notification requirements and the 72-hour initial reporting window.

OSFI’s Cyber Security Self-Assessment Guidance is a good starting place for FRFIs to assess their cyber security maturity and make necessary improvements.