The Office of the Superintendent of Financial Institutions (OSFI) just published an advisory letter for federally regulated financial institutions (FRFI). The advisory sets out OSFI's expectations for FRFI cybersecurity incident reporting, gives examples of incidents that should be reported to OSFI, and sets out reporting requirements. It will become effective March 31, 2019.

What Is a Technology or Cybersecurity Incident?

For the purpose of the advisory, a technology or cybersecurity incident is defined "to have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information."

When Does a Technology or Cybersecurity Incident Have to Be Reported to OSFI?

The following characteristics may make an incident reportable:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system / service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • An FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Some examples of reportable incidents include:

  • Account takeover botnet targeting online services using new techniques; current defences are failing to prevent customer account compromise;
  • Technology failure at data centre;
  • A material third party is breached; or
  • FRFI has received an extortion message threatening to perpetrate a cyber attack.

How, What, and When must an FRFI report?

A FRFI must notify its Lead Supervisor and as promptly as possible, but no later than 72 hours after determining that an incident is reportable.

The advisory sets out a list of specific information that must be included in the initial report, such as a description of the incident that covers the date and time, type, severity, direct and indirect impacts, origination, number of clients impacted, root cause, current status, and mitigation steps taken.

OSFI also expects FRFIs to provide regular updates as new information becomes available, and until all material details about the incident have been provided. Finally, the FRFI will also need to send a post-incident review and "lessons learned" report to OSFI after the incident is closed.

Pre-Incident Preparations

FRFIs should incorporate the requirements of the advisory into their Incident Response Plan. Testing how the organization would react to a reportable incident (through a tabletop exercise or other simulation) is a key component to ensuring that when an attack happens, the FRFI is ready to comply with its obligations. In advance of an attack, FRFIs should also consider how the reporting obligations under this advisory may impact other regulatory reporting and notification obligations.