OSFI provides guidance on reporting cyber incidents

Months after Canada’s mandatory data breach notification law came into effect on Nov. 1, 2018, the Office of the Superintendent of Financial Institutions (OSFI) is now providing guidance on when to report cyber incidents to the financial regulator.

In an advisory for supervisors published in late January that will come into effect Mar. 31, OSFI said that a federally-regulated financial institution (FRFI) must notify its lead supervisor “as promptly as possible, but no later than 72 hours after determining a technology or cyber security incident meets the incident characteristics in this advisory.” Among other things, reporting criteria include any of the following:

• Significant operational impact to key/critical information systems or data
• Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data
• Significant levels of system/service disruptions, or extended disruptions to critical business systems/operations
• Number of external customers impacted is “significant or growing”
• Negative reputational impact is imminent (e.g. public/media disclosure)
• Material impact to critical deadlines/obligations in financial market settlement or payment systems
• Significant impact to a third party deemed material to the FRFI
• Material consequences to other FRFIs or the Canadian financial system.

OSFI defines a technology or cyber security incident as one that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.” Incidents assessed to be of “high or critical severity level should be reported to OSFI.” FRFIs include both life and property and casualty insurance companies, as well as deposit-taking institutions such as banks, foreign bank branches, trust and loan companies, and cooperatives.

As well as notifying their lead supervisor, FRFIs are expected to notify OSFI in writing by paper or electronically at TRD@osfi-bsif.gc.ca, the advisory said. The FRFI should provide best-known estimates and other details available at the time; where specific details are unavailable initially, the FRFI should indicate ‘information not yet available.’

Initial notification requirements include the following:

• Date and time the incident was assessed to be material
• Date and time/period the incident took place
• Incident severity
• Incident type (e.g. distributed denied of service attack, malware, data breach, extortion);
• Incident description, including:
  • known direct/indirect impacts (quantifiable and non-quantifiable), including privacy and financial
  • known impact to one or more business segment, business unit, line of business or regions, including any third party involved
  • whether incident originated at a third party, or has impact on third party services,
  • the number of clients impacted.
• Primary method used to identify the incident
• Current status of incident
• Date for internal incident escalation to senior management or board of directors
• Mitigation actions taken or planned
• Known or suspected root cause
• Name and contact information for the FRFI incident executive lead and liaison with OSFI.

The regulator also expects FRFIs to provide regular updates (daily, for example) as new information becomes available, and until all material details about the incident have been provided. Situation updates – including any short-term and long-term remediation actions and plans – must be provided until the incident is contained or resolved. Following containment, recovery and closure, the FRFI should report to OSFI on its post incident review and lessons learned.

More information, including an appendix with types of attack scenarios and impact, is available at http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/adv-prv/Pages/TCSIR.aspx.