On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published an Advisory setting out new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cybersecurity incidents within 72 hours of determining the incident is reportable. These new reporting requirements become effective on March 31, 2019.
The Advisory adds mandatory reporting requirements to OSFI’s 2013 Cyber Security Self-Assessment Guidance. The Advisory sets out when FRFIs must disclose cybersecurity incidents to OSFI and provides details of the required content of the disclosures. It is part of a constellation of efforts by OSFI to require FRFIs to address technology and cybersecurity incidents in a timely and effective manner.