On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) published the Technology and Cybersecurity Incident Reporting Advisory (Advisory) applicable to all federally regulated financial institutions (FRFIs). The Advisory creates new incident reporting obligations for FRFIs and is effective as of March 31, 2019. Service providers to FRFIs should also familiarize themselves with FRFIs’ obligations under the Advisory, as they may be contractually required by FRFIs to assist with those obligations.
OSFI has identified cybersecurity as a key risk that is increasing as FRFIs continue to rely on technology. OSFI completed a cybersecurity cross sector review at select FRFIs during the 2017-18 fiscal year, assessing responses to a severe but plausible scenario involving a cyber breach at a third party. OSFI has also been assessing their own ability to respond to cybersecurity risks, noting in its 2017-18 Departmental Results Report that there is a risk that OSFI may not respond effectively to cyber threats to Canadian FRFIs. At the same time, OSFI is rethinking its role in the management of cyber risk by financial institutions in light of the Government of Canada’s plan to create the Canadian Centre for Cyber Security as noted in its 2018-19 Departmental Plan, the Annual Report 2017-2018 and the OSFI 2017-2020 Priorities, specifically Priority B, “Strengthen our ability to anticipate and respond to sever but plausible risks to the Canadian financial system”, where OSFI stated it would re-examine its role in, and approach to, enhancing cybersecurity at Canadian financial institutions.
The Advisory outlines FRFIs’ obligation to report technology or cybersecurity incidents to OSFI. The Advisory should be read in conjunction with OSFI’s 2013 Cyber Security Self-Assessment Guidance on incident prevention and management.
The Advisory explains that the reporting requirement is intended to assist the broader financial industry in identifying areas of proactive prevention and/or improved resilience in the event of an incident. Put differently, the reporting requirement serves a dual role: (i) to support OSFI’s oversight obligations and (ii) to collect information on evolving risks, threats and best practices, which tie into its priorities identified above.
INCIDENT REPORTING REQUIREMENTS
The Advisory requires FRFIs to report certain technology or cybersecurity incidents to OSFI, which are defined as having the ability to “materially impact the normal operations of an FRFI, including confidentiality, integrity or availability of its systems and information.”
An incident should be reported to OSFI if it is assessed as having a “high or critical severity level.” The responsibility to assess an incident’s severity level rests with the FRFI, though FRFIs should consult with their OSFI Lead Supervisor when in doubt about an incident’s materiality or severity.
The Advisory provides a non-exhaustive list of examples of reportable incidents (set out in Appendix A) and their characteristics, including:
- Significant operational impact to internal users that is material to customers or business operations
- Extended disruptions to critical business systems/operations
- Number of external customers impacted is significant or growing
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (such as Financial Market Infrastructure)
- Significant impact to a third party deemed material to the FRFI
- Material consequences to other FRFIs or the Canadian financial system
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
REPORT TO OSFI
The Advisory provides that a highly or critically severe incident be initially reported to OSFI as promptly as possible, but no later than 72 hours after the FRFI determines that the incident is reportable. The FRFI is also expected to notify the Lead Supervisor and OSFI’s Technology Risk Division in writing. The report submitted by the FRFI should include:
- Date and time the incident was assessed to be material
- Date and time/period the incident took place
- Incident severity and type (such as DDoS, malware, data breach, extortion), and known or suspected root cause
- Incident description, including:
- Known impacts (direct or indirect, quantifiable and non-quantifiable), including privacy and financial
- Known impact to business segments, units, lines of business or regions, including any third party
- Whether incident originated at a third party, or has had impact on third party services
- Number of clients impacted
- Primary method used to identify the incident
- Date for internal incident escalation to senior management or the board
- Mitigation actions taken or planned
- Name and contact information for the FRFI liaison with OSFI.
Where FRFIs do not have complete information at the time of the initial report, they are expected to provide best estimates and all other details available at the time. Not surprisingly, FRFIs are also expected to provide continuing reports and situation updates throughout the duration of the incident, staying in regular contact with their Lead Supervisor until the incident is contained or resolved. Following the resolution of the incident, FRFIs are expected to report to OSFI on their post-incident review, outlining lessons learned.
FRFIs should take this opportunity to review, and possibly revise, their incident response plans and protocols so that they align with OSFI’s expectations, including their Incident Management Framework, which should be updated to facilitate the timely and consistent assessment and reporting of incidents.
Additionally, FRFIs should review agreements with service providers who have access to FRFI data or systems or whose services are operationally important, to ensure that all incidents—regardless of severity—are reported to the FRFI in a timely manner.
Finally, it is noteworthy that the reporting obligations under the Advisory apply regardless of whether the incident involved personal information, and are therefore potentially broader than the mandatory notification and record keeping requirements under Personal Information Protection and Electronic Documents Act (PIPEDA) that came into effect on November 1, 2018. As an example, a technology failure that results in the inaccessibility of a critical online system, but that does not result in any loss or other unauthorized processing of personal information, would need to be reported to OSFI, but would likely not meet the threshold for reporting or record keeping under PIPEDA.