OSFI announces new requirements for reporting technology and cyber incidents (part one)

On August 13, the Office of the Superintendent of Financial Institutions (OSFI) released an updated Technology and Cyber Security Incident Reporting Advisory (the Advisory) and new requirements for the Cyber Security Self-Assessment. These changes are both effective immediately. The updates aim to enhance OSFI’s awareness and response to technology and cyber security incidents at federally regulated financial institutions (FRFIs). 

Part one of this update will discuss the changes in the Advisory, notably reducing the initial reporting period and broadening the notion of reportable incident. An upcoming part two will tackle the self-assessment tool provided by OSFI, which is seeing its first changes since 2013. 

What are the notable changes?

• Scope: The updated Advisory has broadened the definition of a technology or cyber security incident by taking out a reference to the materiality of the event. The Advisory now describes reportable incidents as those that have the potential to, or have been assessed to, affect the normal operations of an FRFI. In the previous version, the incident had to have the potential or be assessed to materially impact the operations of the FRFI. Additionally, the previous Advisory provides that incidents deemed to be of high or critical severity should be reported to OSFI. The updated Advisory has since removed this sentence, suggesting a lower standard for when incidents should be reported. 
• Criteria for Reporting: The “criteria for reporting” section has removed words such as “material,” “significant,” and “extended,” again suggesting a lower standard for a reportable incident. The Advisory also considers reportable incidents as those reported to another federal government department, to a law enforcement agency, or that have invoked internal or external counsel. 
• Timing of Initial Report: The timeframe to report a technology or cyber security incident drops from within 72 hours to within 24 hours, or sooner if possible.
• Reporting Form: OSFI now provides a Technology and Cyber Incident Reporting Form. The form adds guidance on the type of information OSFI requires from FRFIs when reporting an incident, including incident and contact information, site location and lines of business affected, a description of the risk and incident, the incident level or priority, and the current state of the incident. In completing the initial report, FRFIs must do their best to provide as much information as possible. Where specific details are unavailable at the time of the initial report, best estimates should be included.
• Electronic Reporting: While initial reports must still be completed in writing, the Advisory now indicates a preference for reports to be submitted electronically (by email). Where electronic submission is not available, notification by telephone and subsequent paper submission is acceptable.
• Failure to Report: OSFI has added a “failure to report” section in its Advisory. A failure to report a technology or cyber security incident may result in increased supervisory oversight. This can include enhanced monitoring, watch-listing, or staging of the FRFI.

When to report an incident?

OSFI recommends FRFIs define priority and severity levels within the organization’s internal incident management framework. While it does not provide a model framework, the Advisory contains an updated list of characteristics indicative of a reportable incident, including but not limited to:

• Impacts on other FRFIs, FRFI systems affecting financial market settlement, payment services, FRFI operations, or the Canadian financial system;
• Disruption of business systems and/or operations; 
• Activation of disaster recovery teams or plans;
• Activation of FRFI’s technology or cyber incident management team; or
• A previous FRFI incident that has been reported or initiated. 

OSFI also provides examples of reportable incidents, which include cyber attacks, technology failure at data centers, third-party breaches and extortion threats. For incidents that do not contain these characteristics or fall into one of these scenarios, the FRFI is encouraged to consult its designated lead supervisor and notify OSFI as a precautionary measure.

What are the key takeaways?

OSFI’s Advisory highlights the importance of incident reporting by FRFIs when faced with a technology or cyber security incident. If faced with an incident, FRFIs should use this opportunity to update and strengthen their policies and procedures to ensure they and the industry at large are better equipped to proactively prevent such incidents from occurring in the future. 

When an incident happens, the FRFI needs to keep in mind its reporting obligations. FRFIs must first report an incident to OSFI within 24 hours, and keep in mind the broader definition of what is now considered a reportable incident. This preliminary report should be done promptly via the form provided by OSFI. 

FRFIs should also provide regular updates to OSFI on the incident as new information becomes available, as well as situation updates, which include any short- and long-term remediation actions and plans. Additionally, a post-incident review should be submitted to OSFI once an incident has been contained.

The authors wish to thank articling students Marisa Kwan and Roxanne Caron for their help in preparing this legal update.