In addition to ensuring their compliance with Canada’s new federal mandatory data breach and breach-of-security-safeguards reporting requirements under the private sector Personal Information Protection and Electronic Documents Act, federally regulated financial institutions will soon have additional regulatory reporting requirements regarding technology and cybersecurity incidents, thanks to a recent advisory promulgated by the Office of the Superintendent of Financial Institutions.
Issued on Jan. 24, the Advisory on Technology and Cybersecurity Incident Reporting confirms the obligation of federally regulated financial institutions to report high or critical severity technology or cybersecurity incidents to the OSFI. For the purpose of the advisory, a technology or cyber-incident is defined to have the potential to — or has been assessed to — “materially impact the normal operations of an FRFI,” including confidentiality, integrity or availability of its systems and information. The advisory will take effect on March 31 and applies to all FRFIs.
By way of background, OSFI regulates and supervises federally regulated financial institutions including banks, federally incorporated trust and loan companies, life insurance companies, fraternal benefit societies and property and casualty insurance companies. OSFI also regulates private pension plans that are subject to federal oversight and foreign bank representative offices.
The advisory set out certain reporting criteria. It notes that FRFIs should define incident materiality in their incident management framework (when in doubt about incident materiality, FRFIs are advised to “consult their lead supervisor”).
The advisory states that a reportable incident may have any of the following characteristics: significant operational impact to critical information systems or data; material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data; significant operational impact to internal users that is material to customers or business operations; significant levels of system or service disruptions; extended disruptions to critical business systems or operations; the number of external customers impacted is significant or growing; negative reputational impact is imminent (public or media disclosure); a material impact to critical deadlines or obligations in financial market settlement or payment systems (financial market infrastructure); significant impact to a third party deemed material to the FRFI; material consequences to other FRFIs or the Canadian financial system; or an FRFI incident has been reported to the Office of the Privacy Commissioner or either local or foreign regulatory authorities.
The advisory sets out aggressive reporting requirements for FRFIs. An FRFI must notify its lead supervisor as promptly as possible but no later than 72 hours after determining a technology or cybersecurity incident meets the incident characteristics in the advisory.
This fixed notification period is in contrast to the mandatory data breach or breach-of-security-safeguards reporting standard set out in PIPEDA, which compels organizations to notify the OPC, individuals and third-party organizations of breaches of security safeguards “as soon as feasible” after it has determined that the breach creates a real risk of significant harm to an individual.
In addition to the foregoing notification requirements, FRFIs are also expected to notify TRD@osfi-bsif.gc.ca. When reporting a technology or cybersecurity incident to OSFI, an FRFI must do so in writing electronically or by paper. If specific details are unavailable at the time of the initial report, the FRFI must indicate “information not yet available” and the FRFI is expected to provide best-known estimates and all other details available at the time.
The notification to OSFI must contain the following details: the date and time the incident was assessed to be material; the date and time and period the incident took place; the incident severity; the incident type (DDoS, malware, data breach, extortion); the incident description, including: known direct/indirect impacts (quantifiable and non-quantifiable) including privacy and financial; known impact to one or more business segment, business unit, line of business or regions, including any third party involved; whether incident originated at a third party or has impact on third-party services and the number of clients impacted; the primary method used to identify the incident; the current status of incident; the date for internal incident escalation to senior management or board of directors; the mitigation actions taken or planned; known or suspected root cause and name and contact information for the FRFI incident executive lead and liaison with OSFI.
Additionally, FRFIs are also required to provide daily updates as new information becomes available and until all material details about the incident have been provided. Depending on the severity, impact and velocity of the incident, the lead supervisor may also request that an FRFI change the method and frequency of subsequent updates. OSFI further expects FRFIs to provide situation updates, including any short-term and long-term remediation actions and plans, until the incident is contained/resolved. Lastly, following incident containment, recovery and closure, the FRFI should report to OSFI on its post-incident review and “lessons learned” (hopefully, there are some). The advisory concludes with a non-exhaustive but useful table that provides some examples of reportable incidents.
What does this new advisory mean for FRFIs? At a minimum, counsel for FRFI’s should review all relevant third-party agreements to ensure that such contracts contain sufficient language to allow the FRFI to comply with its obligations under the advisory, including the detailed notification requirements referenced above as well as the heightened timeframe for reporting technology and cybersecurity incidents. FRFIs will also have to ensure that they have put in place the proper internal policies and procedures (and have adequate personnel) to prepare and submit the detailed incident reports as required by the advisory. As OSFI has given FRFIs a two-month grace period before the advisory comes into effect, it is likely that OSFI also believes that FRFIs may need such time to put those additional processes into effect, train their staff and amend their standard documents as required in order to meet the requirements of this advisory.