ARTICLE
23 August 2021

OSFI Issues Stricter Reporting Requirements For Technology And Cybersecurity Incidents

BC
Blake, Cassels & Graydon LLP

Contributor

Blake, Cassels & Graydon LLP logo
Blake, Cassels & Graydon LLP (Blakes) is one of Canada's top business law firms, serving a diverse national and international client base. Our integrated office network provides clients with access to the Firm's full spectrum of capabilities in virtually every area of business law.
Explore Firm Details
Lexpert Firm Profile
On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) issued a new advisory on Technology and Cyber Security Incident Reporting.
Canada Technology
Ellie Marshall and Ora Morison
Your Author LinkedIn Connections

On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) issued a new advisory on Technology and Cyber Security Incident Reporting (2021 Advisory). The 2021 Advisory replaces OSFI's guidance from 2019 (2019 Advisory) on how and when federally regulated financial institutions (FRFIs) are required to notify OSFI about technology or cybersecurity incidents.

The 2021 Advisory defines a technology or cybersecurity incident as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information. Whether a technology or cybersecurity incident must be reported to OSFI depends on the FRFI's determination of whether the incident meets OSFI's criteria for reporting.

In general, the 2021 Advisory significantly broadens the scope of reportable incidents from those with "material" or "significant operational" impact (the reporting threshold under the 2019 Advisory) to now include incidents with any impact to operations. For instance, under the 2021 Advisory, a FRFI must report all incidents where its technology or cyber incident protocols are activated or where the incident has been reported to the board.

REPORTABLE INCIDENTS

The 2021 Advisory emphasizes that a reportable incident may have "any one or more" characteristics from OSFI's updated list. FRFIs are expected to define priority and severity levels within their incident management frameworks. If they are in doubt about whether to report an incident, they should consult their OSFI lead supervisor.

The updated characteristics of a reportable incident are as follows:

  • Potential consequences to other FRFIs or the Canadian financial system
  • Impact to FRFI systems affecting financial market settlement, confirmations or payments (such as financial market infrastructure), or impact to payment services
  • Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information
  • Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity
  • Operational impact to key/critical systems, infrastructure or data
  • Activation of disaster recovery teams or plans, or disaster declaration made by a third-party vendor that impacts the FRFI
  • Operational impact to internal users and potential impact to external customers or business operations
  • Increase in number of external customers impacted; negative reputational impact imminent (such as public and/or media disclosure)
  • Impact to a third party affecting the FRFI
  • Activation of an FRFI's technology or cyber incident management team or protocols
  • An incident reported to the board of directors or senior/executive management
  • An FRFI incident reported to:
    • The Office of the Privacy Commissioner
    • Another federal government department (such as the Canadian Centre for Cyber Security)
    • Other local or foreign supervisory or regulatory organizations or agencies
    • Any law enforcement agencies
    • Internal or external counsel
  • Initiation of an FRFI cyber-incident insurance claim
  • An incident assessed by an FRFI to be of a high or critical severity, level or ranked priority/severity/tier one or two based on the FRFI's internal assessment, or
  • Incidents that breach internal risk appetite or thresholds

Like the previous guidance, the 2021 Advisory includes a non-exhaustive list of examples of reportable incidents.
 
If an FRFI is uncertain whether to report an incident, or where an incident does not align with or contain the above specific criteria, the 2021 Advisory encourages notification as a precaution.

REPORTING GUIDELINES

Under the 2021 Advisory, a reportable incident must be within 24 hours or sooner, if possible, whereas the 2019 Advisory required a response within 72 hours or sooner. Such a report must be in writing and made to OSFI's Technology Risk Division and the FRFI's lead supervisor using the new reporting form template.

The guidance relating to subsequent reporting has not changed since the 2019 Advisory. OSFI expects updates on the incident to be provided as new information becomes available. After the incident is contained, a post-incident review and lessons learned should follow.

CONSEQUENCES OF FAILING TO REPORT

The 2021 Advisory also contains new guidance on the consequences of failing to report an incident that may include increased supervisory oversight by way of enhanced monitoring, watch-listing or staging of the FRFI according to OSFI's formal supervisory intervention process to identify and mitigate risks associated with a FRFI.

For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.

© 2025 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ellie Marshall
Ellie Marshall
Photo of Ora Morison
Ora Morison
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More