OSFI updates cyber incident reporting requirements

Watchdog pushes for a coordinated and integrated response among federally regulated financial institutions

OSFI updates cyber incident reporting requirements

The Office of the Superintendent of Financial Institutions (OSFI) has published an update to its requirements surrounding federally regulated financial institutions’ (FRFIs) reporting and disclosure of technology and cybersecurity incidents.

“The updated Technology and Cyber Security Incident Reporting Advisory (the ‘Advisory’) supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs,” OSFI said in a statement.

As per the updated advisory, FRFIs are to report a technology or cyber incident to OSFI’s Technology Risk Division, as well as their lead supervisor, within 24 hours of the incident.

An incident may be considered reportable if it possesses at least one of the following characteristics, among a host of others defined in the advisory:

  • Impact has potential consequences to other FRFIs or the broader Canadian financial system;
  • Has an impact on FRFI operations, infrastructure, data and/or systems including the confidentiality, integrity, or availability of customer information;
  • Disruptions to business systems and/or operations, including utility or data centre outages or loss or degradation of connectivity;
  • Operational impact to key/critical systems, infrastructure, or data;
  • An FRFI’s technology or cyber incident management team or protocols have been activated;
  • An FRFI incident for which a cyber insurance claim has been initiated.

“OSFI expects FRFIs to provide regular updates (e.g., daily) as new information becomes available, and until all details about the incident have been provided,” OSFI said in its advisory. The watchdog may also ask for more frequent updates or alternative modes of updating from the reporting FRFI, depending on the incident’s severity, impact, and velocity.

Under a new “failure to report” section in the advisory, OSFI also said FRFIs that fail to report a cyber incident could be subject to measures including stiffer OSFI supervisory oversight, added to a watch list, or assigned one of the stages in OSFI’s supervisory intervention approach.

To help FRFIs gauge and possibly improve their current state of readiness against emerging and growing cyber threats, OSFI has also come out with an updated Cyber Security Self-Assessment ("Self-Assessment").

“The Self-Assessment examines a FRFI's capability to respond to a cyber incident in areas ranging from organization and resources, to how it manages threats, risks and incidents, … [rating] each element on a scale from non-existent to continuous improvement,” OSFI said.


Follow WP on FacebookLinkedIn and Twitter