OSFI Issues New Technology and Cybersecurity Incident Reporting Requirements
Effective March 31, 2019, all federally regulated financial institutions (FRFIs) in Canada must follow new reporting requirements as it pertains to technology and cybersecurity related incidents. The Office of the Superintendent of Financial Institutions (OSFI) mandates that FRFIs need to notify OSFI of the incident in a timely manner and take necessary steps to prevent the incident from occurring again.
This announcement comes shortly after the recent PIPEDA legislation came into effect on November 1, 2018.
What is the Scope of this Advisory?
In this case, an incident refers to a technology or cybersecurity event that has “the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.” Any incident with a materiality level of high or critical severity should be reported OSFI.
What are the Reporting Requirements for FRFIs?
Lead Supervisors must be notified no later than 72 hours after an incident has occurred. Subsequent notification to OSFI about the incident must be made in writing with details about the incident. The initial report of the incident should include details like when the incident occurred, the type of incident and how severe it is, any known impact of the incident to the business, and any mitigation efforts. A full list of details to report can be found here.
After the initial report is sent, OSFI expects FRFIs to provide regular updates to fill in any gaps that were not provided in the original incident report. These updates should also include short and long-term remediation plans to contain the incident. A post-mortem incident review should also be sent to OFSI with lessons learned.
How Can FRFIs Comply with the New Requirements?
Financial institutions need to have clearly stated policies and procedures that lay out the steps that need to be taken in the event of a technology or cybersecurity related incident. Compliance with new and changing reporting requirements can be complex, but it doesn’t have to be. Resolver’s Compliance and Incident Management software helps FRFIs manage ever-changing regulatory requirements and comply with the new reporting requirements via triggered alerts sent directly to Lead Supervisors and OSFI.