ARTICLE
7 November 2024

New Security Incident Reporting Obligations For Certain Financial Institutions In Québec

TL
Torys LLP

Contributor

Torys LLP logo
Torys LLP is a respected international business law firm with a reputation for quality, innovation and teamwork. Our experience, our collaborative practice style, and the insight and imagination we bring to our work have made us our clients' choice for their largest and most complex transactions as well as for general matters in which strategic advice is key.
Explore Firm Details
Lexpert Firm Profile
On October 23, 2024, Québec's Autorité des marchés financiers (AMF) published the Regulation respecting the management and reporting of information security incidents by certain financial institutions.
Canada Finance and Banking
Molly Reynolds,Julie Himo,Gabrielle Da Silva
+1 Authors
 Your Author LinkedIn Connections

On October 23, 2024, Québec's Autorité des marchés financiers (AMF) published the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (the Regulation). The Regulation, which comes into force on April 23, 2025, will impose obligations on certain financial institutions to manage, report and maintain records of information security incidents.

What you need to know

  • Scope: The Regulationapplies to certain financial institutions regulated by existing Québec legislation.
  • New obligations:
    • Institutions must put in place an information security incident management policy and designate an individual responsible for its oversight.
    • Institutions must report incidents to the AMF and continue reporting progress until incidents resolve.
    • Institutions must maintain a record of incidents for five years after the incident is resolved.
  • Administrative monetary penalties: Institutions that breach provisions of the Regulation may be liable to pay penalties of up to $2,500, depending on the nature of the breach.

The Regulation

The Regulationwas published after a draft regulation was circulated for public consultation in December 2023. Its provisions will come into force on April 23, 2025.

To whom does the Regulationapply?

The Regulation, and the new obligations it imposes, will apply to the following financial institutions already regulated by existing legislation in Québec:

  • insurers and federations of mutual companies holding a license under the Insurers Act;
  • financial institutions covered by the Act respecting financial services cooperatives;
  • deposit institutions authorized under the Deposit Institutions and Deposit Protection Act;
  • trust companies authorized under the Trust Companies and Savings Companies Act; and
  • credit assessment agents under the Credit Assessment Agents Act.

New obligations under the Regulation

The Regulation defines "information security incident" as a breach to the availability, integrity or confidentiality of information systems or the information which those systems contain. The Regulation imposes three main obligations:

  • Information security incident management policy
    • Institutions must put in place a policy that includes procedures to detect, assess and respond to incidents that may occur.
    • The policy must include a procedure to report incidents to clients, consumers and third parties.
    • The institution must designate an individual to oversee the management and reporting of incidents.
  • Reporting to the AMF
    • Institutions must report (i) incidents with potentially adverse impacts and (ii) incidents that must be reported to other law enforcement or regulatory bodies within 24 hours of being informed of the incident.
    • The AMF will create a reporting form and guide on its website.
    • Institutions must provide updates to the AMF every three days after the original notice is given.
    • Institutions must provide a closing report to the AMF 30 days after the incident is resolved, identifying the source and type of incident, an assessment of the potential recurrence of the incident, and any measures taken to reduce the likelihood of recurrence.
  • Keeping records
    • Institutions must keep fulsome records of incidents in a register, which must be maintained for at least five years from the date the institution submits a closing report to the AMF.

Administrative monetary penalties

Institutions that fail to comply with new obligations may be liable to pay administrative monetary penalties. The penalty amount differs based on the nature of the breach and whether the breach was caused by an individual or an institution.

Serious breaches include failure to establish an incident management policy, failure to keep an updated register of incidents and failure to keep records for the five-year retention period. Institutions that commit serious breaches may be liable to pay a penalty of up to $2500.

Preparing for the Regulation

While institutions that fall under the ambit of the Regulationhave time before its provisions come into force in April 2025, care should be taken to ensure that existing policies and reporting mechanisms comply with the new obligations. Even where reporting regimes are already in place, such as to the Commission d'accès à l'information under Québec privacy law, institutions must ensure reporting to the AMF.

Institutions should be aware of the varying reporting standards under different regulatory regimes. As drafted, the Regulationposes a heavy burden on institutions to report any incident with potentially adverse impacts within 24 hours of being informed of the incident. Institutions should be prudent in reporting all incidents and engage counsel where unsure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Molly Reynolds
Molly Reynolds
Photo of Julie Himo
Julie Himo
Photo of Rosalie Jetté
Rosalie Jetté
Photo of Gabrielle Da Silva
Gabrielle Da Silva
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More