The Office of the Superintendent of Financial Institutions (OSFI) has announced a public consultation on Draft Guideline B‑13: Technology and Cyber Risk Management. When finalized, B-13 will join OSFI's existing cyber security-related guidelines and tools, which include Guidelines E‑21 (Operational Risk Management), B‑10 (Outsourcing of Business Activities, Functions and Processes), its Technology and Cyber Security Incident Reporting Advisory, and its Cyber Security Self-Assessment tool.
OSFI's consultation process is just one of a number of recent developments concerning the regulation of cyber risk for financial institutions in North America. This article briefly reviews these recent developments.
OSFI's guideline B-13
B-13 builds on feedback received about its 2020 Technology and Related Risks discussion paper. That feedback focused on, among other things, the need for a "principles-based, technology-neutral approach" to guidance in this area, as well as varying opinions about the sufficiency of OSFI's existing tools, and the propriety of OSFI offering guidance at all on data-related risks.
The Draft Guideline applies to all federally regulated financial institutions (FRFIs). While OSFI's previous guidance and tools focused on self-assessment and mandatory incident reporting, B-13 outlines detailed expectations for FRFIs with respect to five "domains" for the management of cyber risk:
- Governance and Risk Management
- Technology Operations
- Cyber security
- Third-Party Provider Technology and Cyber Risk
- Technology Resilience
The guidance covers numerous subtopics in a degree of detail that defies brief summarization, and FRFIs will need to study them in detail. Broadly speaking, the guidance accords with well-established principles and practices for cyber risk and incident response management that are as applicable to any other sector as to financial services.
Senior management should take note that B-13 holds it accountable for their FRFI's cyber risk preparedness, and requires FRFIs to assign "assign clear responsibility for technology and cyber risk governance to senior officers," setting out specific roles for such officers, and requiring that those roles be given "appropriate stature and visibility throughout the institution." Senior management must include "persons with sufficient understanding of technology and cyber risks," and ensure that the FRFI's organizational structure provides for "adequate people and financial resources, and appropriate subject-matter expertise and training" to deal with cyber risk. There are no exceptions for smaller institutions, so FRFIs who have considered themselves too small to warrant such formal structural changes and allocations of resources should reassess their current arrangements.
Case law with respect to data breaches is in the early stages of development in Canada. FRFIs should be prepared for the likelihood that courts and privacy regulators assessing an institution's preparedness for and response to a data breach incident will look to the B-13 in it final form to provide a yardstick against which to measure the reasonableness of the institution's conduct, and the standard of care to which it should be held.
The public consultation ends February 9, 2022. Stakeholders wishing to comment on Draft Guideline B-13 may submit their comments by email to [email protected].
The return of Bill C-11?
With the re-election of the federal Liberals to power this past September, many commentators expect to see the return of Bill C-11, the proposed update of federal privacy laws, to return in some form or another. When last seen, C-11 would have significantly overhauled The Personal Information Protection and Electronic Documents Act, the federal privacy law governing the commercial collection and use of personally identifiable information by (among other organizations) federally-regulated businesses including banks. If passed in a form similar to the version that died on the Order Paper when the election was called, the Bill would bring Canada into closer alignment with strict European data protection laws (in some respects), grant order making powers to the Privacy Commissioner (it currently lacks these), and impose greater financial penalties for non-compliance. Canadian banks should expect to see the re-emergence of this legislation in the new year. The new bill will raise the stakes for organizations that fail to adequately protect their customers and suffer successful cyber attacks.
New rules for American financial institutions
It has been a busy few weeks for US financial services regulators as well. The US Federal Trade Commission (FTC) issued a Final Rule to amend its Safeguards for Safeguarding Customer Information in late October. The Rule requires non-bank FRFIs (including mortgage brokers and payday lenders) to "develop, implement, and maintain a comprehensive security system to keep their customers' information safe." Such institutions will need to:
- Comply with more detailed criteria for safeguards on data, such as limiting access to such data, and using encryption to protect it;
- Provide more detailed information concerning their safeguards applied when they "use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers' secure information"; and
- Designate individuals (one per institution) to oversee their data security program and report to the institution's board of directors or a designated senior officer.
The FTC also requested public comment on its Standards for Safeguarding Customer Information to require institutions to report any "security event" where the data of at least 1,000 customers has occurred "or is reasonably likely."
Meanwhile, new rules are already in place for American banks. On November 17, the Office of the Comptroller of the Currency, the US Treasury, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation issued a "final rule" imposing new data breach notification and reporting requirements for such banks. The rule requires that:
- A bank notify its "primary Federal regulator" of any "computer-security incident" that constitutes a "notification incident" no later than 36 hours after the bank has determined such an incident has taken place;
- Third-party vendors providing certain services to a bank to notify the bank when a "computer-security incident" has "materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours."
As the onslaught of successful and attempted cyber attacks on large organizations and critical infrastructure continues, financial institutions should expect increasingly stringent and prescriptive guidance from their regulators. Regulators in different countries appear to be inching toward consensus on what is required a robust cyber security posture looks like for financial institutions. It will be interesting to see whether Canadian regulators lead or follow in these efforts.