On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published an Advisory setting out new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cybersecurity incidents within 72 hours of determining the incident is reportable. These new reporting requirements become effective on March 31, 2019.
The Advisory adds mandatory reporting requirements to OSFI’s 2013 Cyber Security Self-Assessment Guidance. The Advisory sets out when FRFIs must disclose cybersecurity incidents to OSFI and provides details of the required content of the disclosures. It is part of a constellation of efforts by OSFI to require FRFIs to address technology and cybersecurity incidents in a timely and effective manner.
Criteria for Reporting
The Advisory requires an FRFI to notify OSFI when the FRFI experiences a technology or cybersecurity incident of “high or critical severity” that has the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.
The determination of materiality has been left to the FRFIs to make in accordance with their incident management framework. However, the Advisory provides a number of examples, noting that a reportable incident may have any of the following characteristics:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
Criteria Markedly Different from PIPEDA
The Advisory imposes broader and more substantial notification and disclosure obligations than those under Canada’s federal privacy law for private-sector organizations, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The PIPEDA obligations will generally apply to FRFIs as well, insofar as personal information is concerned. Under PIPEDA, an organization is required report to the Office of the Privacy Commissioner of Canada ”any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
Under the Advisory, a cybersecurity incident having a material impact on confidential non-personal information is potentially reportable to OSFI; it will not be reportable to the Office of the Privacy Commissioner of Canada (“OPC”). Conversely, an incident involving unauthorized access to personal information held by an FRFI may trigger the PIPEDA reporting requirements, but not necessarily the OSFI requirements (though note that the Advisory states that one of the criteria for being a reportable incident under the OSFI Advisory is that it has been reported to the OPC).
There will also be occasions where both regimes are triggered. It is unclear at this time as to whether, and how, the two organizations will cooperate in their respective investigations likely to be conducted as a result of a report being made.
Notification and Reporting Requirements
A FRFI must notify its Lead Supervisor and OSFI in writing, as promptly as possible, but no later than 72 hours after determining an incident meets the incident characteristics in the Advisory.
Details to report include the following:
- Date and time the incident was assessed to be material, as well as the date and time/period the incident took place;
- Incident severity, type (e.g. DDoS, malware, data breach, extortion), and a description of the incident description, including:
- known direct/indirect impacts (quantifiable and non-quantifiable) including privacy and financial;
- known impact to one or more business segment, business unit, line of business or regions, including any third party involved;
- whether incident originated at a third party, or has impact on third party services, and
- the number of clients impacted.
- Primary method used to identify the incident;
- Current status of incident;
- Date for internal incident escalation to senior management or Board of Directors;
- Mitigation actions taken or planned;
- Known or suspected root cause;
- Name and contact information for the FRFI incident executive lead and liaison with OSFI.
The first 72 hours of any significant cybersecurity incident will often leave an organization scrambling to gain an accurate understanding of what has occurred and the scope of the impact; for that reason, the Advisory states that, at least at the time of the initial report, the FRFI should indicate ‘information not yet available.’ In such cases, the Advisory states that the FRFI should “provide best known estimates and all other details available at the time.”
Organizations will need to be extremely cautious about what they say in their initial report, and balance their obligations to notify against the need to manage the accuracy of the information provided, customer and reputational impacts, and privilege, as well as any other disclosures made (e.g., pursuant to securities regulations, etc.).
Continuing Reporting Obligations
The Advisory imposes on FRFIs a continuing disclosure obligation, and OSFI expects FRFIs to provide regular updates (e.g. daily) as new information becomes available, and until all material details about the incident have been provided. Until the incident is contained/resolved, OSFI expects FRFIs to provide situation updates, including any short term and long term remediation actions and plans.
Once the incident is contained, the FRFI has recovered, and the incident is closed, the FRFI is obliged to report to OSFI on its post-incident review and lessons learned.
Takeaways for Business
FRFIs should already be familiar with and have implemented OSFI’s Cyber Security Self-Assessment Guidance and will need to review, and supplement or modify as necessary, their existing incident management framework to ensure compliance with the Advisory.
FRFIs should pay particular attention to revising existing incident reporting policies to include an appropriate assessment of the OSFI triggers as part of the general process of whether an incident is reportable. Increasing regulatory scrutiny of FRFIs’ (and others’) relationships with third parties suggests FRFIs should review their agreements with such third parties to ensure the data protection and incident notification requirements are consistent with allowing the FRFI to fulfill its obligations under the Advisory. Key personnel, including those on the FRFI’s incident response team, should be trained in these new obligations.
FRFIs should review (or create) privilege protocols to address the competing informational demands of the OSFI Advisory, the PIPEDA investigatory and breach reporting regime, other disclosure requirements, and any potential litigation arising from a reportable data incident.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page.