Guidelines that will kick in on March 31 lay out what should be done in case of ‘material’ technology breaches
A new advisory from the Office of the Superintendent of Financial Institutions (OSFI) sets out guidelines for federally regulated financial institutions (FRFI) in case of technology or cybersecurity breaches.
The advisory, which references and follows up on the cybersecurity self-assessment guidance the OSFI put out in 2013, instructs FRFIs to report cybersecurity or technology-related incidents of a “high or critical severity level” to the agency.
“These are defined as incidents that materially impact the normal operations of an FRFI, including incidents affecting the confidentiality, integrity, or availability of the FRFI's systems or its information,” said law experts from Gowling WLG in a note.
The OSFI guidelines, which will take effect on March 31, do not explain what makes a material breach severe enough to warrant a report. But they do come with some possible conditions for reportable incidents, including:
- A significant operational impact on key/critical information systems or data;
- Material impact on the confidentiality, integrity, or availability of FRFI operational or customer data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system/service disruptions;
- Extended disruptions to critical business systems / operations;
- A considerable or growing number of external customers impacted;
- Imminent negative reputational impact from public disclosures, media reports, et cetera;
- Material impact on critical deadlines/obligations in financial market settlement or payment systems;
- Significant impact on a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system; or
- The incident being reported to the the Office of the Privacy Commissioner or local/foreign regulatory authorities
In case of an incident, an FRFI must notify its OSFI Lead Supervisor within 72 hours and send an email to OSFI’s Technology Risk Division. The affected FRFI is also obligated to disclose additional information on an ongoing basis, along with any remediation plans. Once the incident has been addressed appropriately, the FRFI is also to report a post-incident review to OSFI that reflects lessons learned.