The Office of the Superintendent of Financial Institutions (“OSFI”) recently updated its Advisory on Technology and Cyber Security Incident Reporting for all federally regulated financial institutions (“FRFIs”). The new requirements, which apply to FRFIs such as banks, trust and loan companies, insurance companies, and fraternal benefit societies, came into effect on August 13, 2021, and amend the previous requirements which have been in effect since March 2019.
The changes expand the scope of reportable incidents, and introduce more rigour to the reporting process. Organizations should review their incident response plans to ensure that new forms and timelines are incorporated into their internal documents.
Important Changes for FRFIs
1. Mandatory notification to OSFI in 24h
FRFIs are now required to notify OSFI when they are affected by technology or cyber security incidents in 24 hours or sooner, if possible, as opposed to the previous 72-hour reporting window.
OSFI expects FRFIs to provide “all details about the incident”, which is an important distinction from the previous advisory, which only required “all material details about the incident”. In practice, this means that the institution must disclose information it holds about an incident at a very early stage of the response and is then expected to provide subsequent updates until all of the information about the incident has been disclosed.
2. Requirement to use a reporting template form
When reporting an incident to OSFI’s Technology Risk Division and their Lead Supervisor at OSFI, FRFIs are now required to complete the OSFI Incident Reporting and Resolution Form. The previous advisory only specified the information required in the report and did not include a form.
3. An expanded list of characteristics for reporting
The list of characteristics of incidents that must be reported is expanded to include new criteria, while amending previous ones by removing qualifiers such as “material”, “significant” and “extended”. The presence of any one or more of the following criteria now triggers the reporting requirement to OSFI:
A) Criteria specific to the impact of the incident:
- Impact has potential consequences to other FRFIs or the Canadian financial system;
- Impact to FRFI systems affecting financial market settlement, confirmations or payments (e.g., Financial Market Infrastructure), or impact to payment services;
- Impact to FRFI operations, infrastructure, data, and/or systems, including but not limited to the confidentiality, integrity, or availability of customer information;
- Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity;
- Operational impact to key/critical systems, infrastructure, or data;
- Operational impact to internal users that poses an impact to external customers or business operations; and
- Impact to a third party affecting the FRFI.
B) The number of individuals affected and impact on reputation:
- Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure).
C) Criteria specific to the corporate response:
- Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI;
- A FRFI’s technology or cyber incident management team or protocols have been activated;
- An incident that has been reported to the Board of Directors or Senior/Executive Management;
- A FRFI incident has been reported to:
- the Office of the Privacy Commissioner;
- another federal government department (e.g., the Canadian Center for Cyber Security);
- other local or foreign supervisory or regulatory organizations or agencies;
- any law enforcement agencies;
- internal or external counsel
- A FRFI incident for which a Cyber insurance claim has been initiated.
D) Criteria specific to the assessment of risk within the institution:
- An incident assessed by a FRFI to be of high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI’s internal assessment; or
- Technology or cyber security incidents that breach internal risk appetite or thresholds.
When in doubt or when incidents do not align with or contain the specific criteria listed, an institution is encouraged to notify OSFI as a precaution.
4. A broadened definition of “technology or cyber security incident”
The updated definition of a technology or cyber security incident is “an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.” The previous definition covered any incident that had “the potential to, or has been assessed to, materially impact the normal operations” of the FRFI.
As a result of this change, a wider scope of incidents will now fall under this new definition which, in effect, will ensure that OSFI is more often involved in the oversight of incident management by FRFIs.
5. Consequences for failing to report
The consequences for failing to report incidents as required include increased supervisory oversight, which could include enhanced monitoring activities, being added to a watch list, or being staged as part of OSFI’s intervention process.
Considering the lowered threshold for reporting incidents and OSFI’s enhanced involvement in the incident process, institutions should expect an increased number of reports to OSFI and more potential scrutiny of their practices. As a result, institutions should ensure that their reporting mechanisms are operational and effective, that they provide for a timely response, and that their incident management policies and procedures are amended to reflect these new requirements and reporting criteria.
OSFI Cyber Security Self-Assessment also updated
OSFI also updated its self-assessment, which is intended to help FRFIs evaluate their cyber security operations and programs. The self-assessment now consists of 90 controls divided into different focus areas, which follow the structure of the NIST Cybersecurity Framework, with a few additions: Governance, Identify, Defend, Detect, Respond, Recover, Learn, and Third-Party Providers. The different focuses are then divided into categories.
OSFI then encourages FRFIs to attribute a cyber risk rating level for each of the controls of the questionnaire, according to the maturity of the implementation of each control within the institution. The rating levels have been updated to reflect the effectiveness of the implementation and adoption of the control within the institution, compared to the previous version where the stage of implementation was the main criteria to consider when attributing a level. Additionally, the current assessment does not include a section for the “action plan and target date for full implementation” and instead, focuses on supporting references to justify the risk rating.
The updated memorandum specifies that the self-assessment is a resource to complement the current and forthcoming guidance established by OSFI.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.