On August 13, 2021, Canada's Office of the Superintendent of Financial Institutions (OSFI) announced new technology/cybersecurity incident reporting requirements for Federally Regulated Financial Institutions (FRFIs). Incidents to which the policy applies are no longer subject to an express materiality threshold and must now be reported within 24 hours, with specific consequences for failure to report. In addition, OSFI updated the Cyber-Security Self-Assessment for FRFIs. This stricter approach reflects OSFI's growing concern about the potential impact of cybercrime and technology incidents on the financial sector.
The updated Technology and Cyber Security Incident Reporting Advisory ("New Advisory") replaces the OSFI advisory that has been in effect since March 31, 2019 ("2019 Advisory"). The New Advisory defines "technology or cyber security incident" as:
An incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.
The explicit materiality qualifier in the 2019 Advisory has not been retained in the New Advisory, which instead recommends that:
- "FRFIs should define priority and severity levels within their incident management framework" (the New Advisory does not set expectations for these frameworks); and
- FRFIs consult their Lead Supervisors if uncertain whether an incident should be reported.
In general, the New Advisory lowers the threshold for reporting while expanding the scope of reportable incidents as discussed below. Because the previous materiality test is no longer applicable, the requirement to report could potentially be triggered by almost any incident that affects a FRFI's systems.
Characteristics of reportable incidents
The New Advisory states that reportable incidents may have any of the following characteristics (note that OSFI does not intend the examples given to be exhaustive of the points that they illustrate):
- The potential to affect other FRFIs or the Canadian financial system generally;
- An impact on FRFI systems affecting financial market settlement, confirmations or payments, or impact on payment services;
- An impact on FRFI operations, infrastructure, data, systems (e.g. an impact on the confidentiality, integrity or availability of customer information, among others);
- A disruptive effect on business systems or operations (e.g. data centre or utility centre outages or "loss or degradation" of connectivity);
- An operational impact on key or critical systems, infrastructure or data;
- An activation of disaster recovery plans or teams or a declaration of disaster by a third-party vendor, affecting the FRFI;
- An operational impact on internal users that affects business operations or external customers;
- An impact on external customers that is growing and likely to attract media attention, with a potential to negatively affect the FRFI's reputation;
- An impact to a third party affecting the FRFI;
- The FRFI's technology/cyber incident protocols or response team have been activated;
- An incident has been reported to the board of directors or senior management;
- A report has been made to another federal government department or to the Office of the Privacy Commissioner, to a law enforcement agency or to any other regulator or supervisory authority anywhere in the world;
- The FRFI "has invoked internal or external counsel";
- A FRFI incident for which a cyber insurance claim has been initiated;
- The FRFI has internally assessed the incident as a Tier 1 or Tier 2 incident (high or critical severity); or
- A breach of internal risk appetite or thresholds.
However, even if an incident does not appear to meet any of these criteria (or where the FRFI is uncertain), notification of OSFI is "encouraged" on a precautionary basis.
Appendix I of the New Advisory lists four reportable scenarios as examples of reportable incidents. These appear to be similar to those included in the 2019 Advisory: an account takeover botnet campaign, a data centre technology failure, a breach at a material third party and DDoS extortion attacks.
The New Advisory differentiates between "initial" notification requirements and those that apply subsequently.
Initial notification requirements
In a major change, the notification timeframe has been reduced from 72 hours to 24 hours, although OSFI's preference continues to be that notification take place as soon as possible. The New Advisory does not specify when the reduced 24-hour period begins to run, although (as noted below) it clearly contemplates that reports will sometimes have to be submitted before the FRFI has ascertained all of the required information. The 2019 Advisory stated that the 72-hour period began to run when the FRFI had determined that the incident was reportable.
Incidents must be reported to the appropriate Lead Supervisor and to OSFI's Technology Risk Division using the Incident Reporting and Resolution Form, whether or not all details are known. A facsimile of the form is provided in Appendix II of the New Advisory.
Note that the 24-hour reporting period is shorter than the corresponding requirement under section 10.1 of PIPEDA, which requires that notifications be made "as soon as feasible after the organization determines that the breach has occurred". The FRFI continues to be responsible for complying with the PIPEDA requirement, however.
Subsequent notification requirements
The subsequent notification requirements are more open-ended. In whatever form it takes, such notification should be "regular (e.g. daily)", although OSFI may issue more specific requirements in specific cases. The regular updates should continue until the incident is contained or resolved and are expected to include both short-term and long-term remediation actions and plans. A post-incident review, including "lessons learned" should also be submitted at an appropriate time.
Failure to report
Failure to report incidents as required can now lead to specific consequences, such as increased supervisory oversight, e.g. enhanced monitoring of a FRFI's activities, or watch-listing or staging of the FRFI (among other potential consequences).
Cyber Security Self-Assessment
The Cyber Security Self-Assessment ("Self-Assessment") assists the FRFI in identifying areas of potential vulnerability to cyber incidents and addresses both incident prevention and incident response. Changes in the revised version were designed in part to reflect recent rapid growth in financial services digitization. While not mandatory, the Self-Assessment will supplement OSFI's forthcoming guidance for the sound management of technology and cyber risk, referred to in the Near-Term Plan of Prudential Policy, issued on May 6, 2021.
The Self-Assessment encompasses 90 "control statements" such as "The FRFI conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements" (no. 3). The control statements are divided into the following categories:
- Planning and strategy
- Risk management
- Business environment
- Asset management
- Risk assessment
- Identity management and access control
- Network security
- Data security
- Vulnerability management
- Change and configuration management
- Monitoring and logging
- Benchmarking, reviews and assessments
- Secure software development
- Incident management
- Testing and planning
- Continuous improvement
- Security education
- Governance and management
- Cloud service providers
In completing the Self-Assessment, the FRFI will rate each control statement on a scale from 0-5 with respect to "cyber security maturity". The data produced by this exercise will help the FRFI focus its future cyber security planning on its most pressing areas of deficiency.
Steps that FRFIs should consider in light of the New Advisory include (among others):
- Assessing the implications of the changes to the reporting standards in the New Advisory on their internal procedures;
- Reviewing and (if necessary) updating supplier and outsourcing agreements to ensure compliance with the new requirements; and
- Undergoing a Cyber Security Self-Assessment based on the new template.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.