ARTICLE
5 July 2019

Financial Institutions: OSFI's Heightened Cyber Security Incident Reporting Obligations Now In Effect

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa, Montréal and Hong Kong. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
Lexpert Firm Profile
On January 24, 2019, the Office of the Superintendent of Financial Institutions published the Technology and Cyber Security Incident Reporting Advisory.
Canada Technology
Photo of Darcy Ammerman
Photo of Grace Shaw
Authors

On January 24, 2019, the Office of the Superintendent of Financial Institutions ("OSFI") published the Technology and Cyber Security Incident Reporting Advisory1 (the "Advisory"), which sets out OSFI's expectations for reporting technology and cyber security incidents.  The Advisory became effective for all federally regulated financial institutions ("FRFIs") on March 31, 2019.

The Advisory requires FRFIs to report technology or cyber security incidents that "have the potential to, or have been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information". If a FRFI assesses an incident as being of a "high or critical severity level", the FRFI must notify OSFI as promptly as possible, but no later than 72 hours after the FRFI determines that the incident is reportable. For more details on the reporting process, and how it differs from the breach reporting requirements under Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), see our recent publication, " OSFI Boots Up Cyber Safety with its New Advisory on Technology and Cyber Security Incident Reporting".

In order to ensure compliance with the Advisory and OSFI's expectations, we recommend several steps including:

  • taking a top-down approach to ensure active participation and buy-in to cybersecurity from the executive and board down through employees;
  • conducting periodic risk assessments, security audits, and due diligence on vendor and outsourced workers when contracting with them (as well as including written requirements in the contracts);
  • designating a program administrator who is accountable to the organization; and
  • developing written policies and procedures, including, critically, an incident response plan, based on the above.

Regularly testing internal controls, conducting staff training programs and updating compliance procedures will increase the effectiveness of these recommendations.

Footnote

1 Available at Technology and Cyber Security Incident Reporting

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2019

Authors
Photo of Darcy Ammerman
Darcy Ammerman
Photo of Grace Shaw
Grace Shaw
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More