February 12, 2019 by Jason Contant
Months after Canada’s mandatory data breach notification law came into effect on Nov. 1, 2018, the Office of the Superintendent of Financial Institutions (OSFI) is now providing guidance on when to report cyber incidents to the financial regulator.
In an advisory for supervisors published in late January that will come into effect Mar. 31, OSFI said that a federally-regulated financial institution (FRFI) must notify its lead supervisor “as promptly as possible, but no later than 72 hours after determining a technology or cyber security incident meets the incident characteristics in this advisory.” Among other things, reporting criteria include any of the following:
OSFI defines a technology or cyber security incident as one that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.” Incidents assessed to be of “high or critical severity level should be reported to OSFI.” FRFIs include both life and property and casualty insurance companies, as well as deposit-taking institutions such as banks, foreign bank branches, trust and loan companies, and cooperatives.
As well as notifying their lead supervisor, FRFIs are expected to notify OSFI in writing by paper or electronically at TRD@osfi-bsif.gc.ca, the advisory said. The FRFI should provide best-known estimates and other details available at the time; where specific details are unavailable initially, the FRFI should indicate ‘information not yet available.’
Initial notification requirements include the following:
The regulator also expects FRFIs to provide regular updates (daily, for example) as new information becomes available, and until all material details about the incident have been provided. Situation updates – including any short-term and long-term remediation actions and plans – must be provided until the incident is contained or resolved. Following containment, recovery and closure, the FRFI should report to OSFI on its post incident review and lessons learned.
More information, including an appendix with types of attack scenarios and impact, is available at http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/adv-prv/Pages/TCSIR.aspx.