On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours. FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.
The new reporting requirements become effective on March 31, 2019.
Background – Stricter Requirements for Disclosure
Consistent with OSFI’s current priority to enhance cyber security at financial institutions and reduce risk to the Canadian financial system, the Advisory adds cyber disclosure requirements to OSFI’s prior guidance on cyber incident management (the Cyber Security Self-Assessment Guidance). The Advisory details when FRFIs must disclose cyber incidents to OSFI and the required content of the disclosures.
OSFI’s release of the Advisory comes against the backdrop of its efforts to require FRFIs to address technology and cyber security incidents in a timely and effective manner. OSFI has determined that cyber-incident reporting can identify areas where a FRFI or the industry at large can take steps to proactively prevent cybercrime or to improve FRFI resiliency in cases where a cyber incident has occurred.
Criteria for Cyber Incident Reporting
Pursuant to the Advisory, a FRFI must notify OSFI when the FRFI experiences a technology or cyber security incident of high or critical severity that has the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information. OSFI has left the materiality determination to FRFIs to make consistent with their incident management framework. However, the Advisory provides potential characteristics of reportable incidents:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Significant or growing number of external customers impacted;
- Imminent negative reputational impact;
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- Reporting of a FRFI incident to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
FRFIs should note that the Advisory imposes more substantial disclosure obligations than those imposed by Canada’s federal privacy law for private-sector organizations generally, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Under PIPEDA, a company must report breaches only when the breach poses a real risk of significant harm to individuals.
Notification and Reporting Requirements
Initial Notice: Once a FRFI determines reporting is required, it must notify its Lead Supervisor and OSFI, in writing, as promptly as possible, but always within 72 hours. The Advisory specifies information that should be contained in the report, including but not limited to, the date and time of the incident, the incident type (i.e., DDoS attack, malware, data breach, extortion), incident severity, a description, and information about escalation to senior management. A complete list of required details is available in the Advisory.
Subsequent Reporting: The Advisory requires regular updates (e.g., daily) as new information becomes available until all materials details have been provided. Updates must include short- and long-term remediation plans and actions. After the incident is contained, a FRFI must report on its post-incident review and lessons learned.
FRFIs should review their incident management framework to determine what modifications will be required to facilitate compliance with the Advisory’s reporting requirements. Such a review should generally include (i) revising existing incident reporting policies to reflect the guidance, (ii) analyzing agreements with third-party service providers with access to the FRFI’s data or systems and notifying them of their obligations under the Advisory, and (iii) training personnel to ensure policies requiring prompt internal reporting are understood and followed.
 Office of the Superintendent of Financial Institutions, 2018-2019 Departmental Plan (2018), http://www.osfi-bsif.gc.ca/Eng/Docs/dp-2018-19.pdf, 3.