The Office of the Superintendent of Financial Institutions (“OSFI”) released a new Advisory on Technology and Cyber Security Incident Reporting, effective August 13, 2021 (the “Advisory”) which seeks to govern how federally-regulated financial institutions (“FRFIs”) should disclose and report technology and cybersecurity incidents. The Advisory replaces its January 2019 predecessor, on which we have previously commented. The requirements are in addition to any potential privacy breach reporting requirements that institutions may be subject to under the federal Personal Information Protection & Electronic Documents Act (“PIPEDA”) or provincial privacy legislation such as Alberta’s Personal Information Protection Act.

An Increased Role for OSFI?

According to OSFI, the purpose of the current Advisory is to provide a “coordinated and integrated approach to OSFI’s awareness of, and response to, technology and cyber security incidents” at FRFIs, indicating a more pronounced role for OSFI in addressing cyber preparedness. While the Advisory sets out OSFI’s current incident reporting requirements in detail, it is noteworthy that OSFI does not specify any explicit expectations in relation to what an incident management framework should look like. Accordingly, each FRFI appears to have some degree of discretion as to how to structure its own framework, provided that the reporting requirements prescribed by the Advisory are met.

Changes to Mandatory Incident Reporting Requirements

There have been significant changes to the reporting requirements such that reporting is likely to occur more promptly and with greater frequency where a cybersecurity incident transpires.

Reports to be Provided Within 24h

Firstly, the Advisory requires FRFIs to report a technology or cyber security incident to OSFI’s Technology Risk Division and their Lead Superior at OSFI within 24 hours, or sooner if possible. This timeline has been shortened from the previous 72-hour window. OSFI recognizes that the shortened timeline will likely mean that information requested remains unavailable and provides guidance for how to report such initial information accordingly. It also includes subsequent reporting requirements as new information becomes available.

Reporting Form

Incidents must be reported using a new Incident Reporting and Resolution form, shown in Appendix II of the Advisory. The form serves as a more streamlined process from the former advisory which solely outlined the expected details of a response.

More Extensive Reporting Criteria

The Advisory’s criteria for reporting is more extensive, which will result in more incidents being reported. Under the Advisory, a reportable incident may have a number of characteristics including any one or more of the following:

  • Impact on other FRFIs or the financial system;
  • Impact to payment services;
  • Impact to operations, infrastructure, data and/or systems;
  • Operational impact to internal users and external customers;
  • Reputational impact;
  • Disaster recovery, technology or cyber-incident management protocols have been activated by the FRFI or third-party vendors;
  • Reported to all or a combination of the following:
    • the Office of the Privacy Commissioner and/or other local or foreign regulatory agencies;
    • the Board of Directors and/or Senior/Executive Management;
    • another federal government department; or
    • any law enforcement agencies.
  • Initiation of a cyber-insurance claim;
  • Assessment by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2; or
  • Breach of internal risk appetites or thresholds.

For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.

For a complete list, see “Criteria for Reporting” in the Advisory

To exemplify reportable incidents, Appendix I of the Advisory sets out a series of examples to aid FRFI’s assess their reporting obligations and notes that, when in doubt about whether to report, FRFIs should consult their Lead Supervisor.

Consequences of Failure to Report

Should an FRFI fail to report a technology or cybersecurity incident, the Advisory provides that the FRFI will be subject to increased supervisory oversight which might include enhanced monitoring activities, watch-listing or staging of the FRFI.

What Does this Mean for FRFIs?

FRFIs are encouraged to: (i) use the updated OSFI Cyber Security Self-Assessment to assess their current level of cyber preparedness and work to develop and maintain effective cyber security practices; and (ii) update their incident response policies and procedures to align with the current Advisory. The foregoing should be done in addition to ensuring compliance with the latest reporting obligations upon the occurrence of a technology or cyber security incident.