ARTICLE
30 October 2024

Information Security Incident Management: A New Regulatory Framework For Financial Institutions And Credit Assessment Agents

L,
Langlois Lawyers, LLP

Contributor

With more than 185 professionals working in the Montréal and Quebec City metropolitan areas, Langlois Lawyers is one of the largest law firms in Quebec. Our team of over 325 employees offers a complete range of highly regarded legal services in a variety of areas.
On October 23, 2024, the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents ("Regulation")...
Canada Technology

Introduction

On October 23, 2024, the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents ("Regulation") was published in the Gazette officielle du Québec. The Regulation will come into force in six months and is intended to provide a framework for the management and reporting of information security incidents by certain provincial financial institutions. In the event of non-compliance, the Regulation also provides for administrative penalties.

Information Security Incident

Under the Regulation, an information security incident means "an attack on the availability, integrity or confidentiality of information systems or the information they contain." This definition is distinct from the definition of "confidentiality incident" in the Act respecting the protection of personal information in the private sector ("Private Sector Act"), which covers incidents involving the unauthorized access, use and communication of personal information and the loss or other breach of the protection of personal information. Under the Regulation, a server failure would be considered an information security incident but may not be considered a confidentiality incident under the Private Sector Act.

Who is affected?

The Regulation applies to the following financial institutions ("Provincial Financial Institutions"):

  • Insurers authorized under the Insurers Act and federations of mutual companies are subject thereto;
  • Federations and credit unions not members of a federation that are subject to the Act respecting financial services cooperatives;
  • Deposit institutions authorized under the Deposit Institutions and Deposit Protection Act;
  • Trust companies authorized under the Trust Companies and Savings Companies Act;
  • Credit assessment agents designated under the Credit Assessment Agents Act.

Requirements of the New Regulation

To comply with the Regulation, the Provincial Financial Institutions must comply with the following requirements.

1. Develop and implement an information security incident management policy

  • The policy must include procedures and mechanisms for detecting, assessing and responding to information security incidents that may occur within the Provincial Financial Institution;
  • The policy must also apply to third parties to which such Provincial Financial Institution has entrusted the performance of any part of an activity, if the incident affects the activity entrusted to such third party;
  • The policy must include a procedure for the reporting of information security incidents to the officers or managers and any other stakeholders. Other stakeholders may include:
    • Clients,
    • Third parties to which the Provincial Financial Institution has entrusted the performance of any part of an activity,
    • Consumers,
    • The Autorité des marchés financiers ("Authority"), and any other regulatory bodies.

2. Appoint an incident management officer

  • The Provincial Financial Institution must assign, in writing, responsibility for monitoring the management and reporting of information security incidents.

3. Report the information security incident to the Authority in certain situations

The information security incident has potentially adverse impacts.

  • Any incident with potentially adverse impacts must be reported to the Authority, not later than 24 hours from the time the incident is reported to the officer or manager. However, the Regulation does not define what might constitute a potentially adverse impact.
  • It will therefore be important for Provincial Financial Institutions to provide internal controls and procedures for incidents that are likely to be reported to officers or managers and the specific terms and conditions of such reports.

The information security incident was reported or notified to certain organizations or individuals.

  • The Provincial Financial Institution must, within 24 hours of reporting, notify the Authority of any information security incident that has been reported or been subject of a notice to a regulatory body, a person or a body that is responsible under law for the prevention, detection or repression of crime or statutory offences, or contractually responsible for providing compensation for injury that may have been caused by the incident.

In the event of a confidentiality incident that poses a risk of serious injury under the Private Sector Act.

  • In the event of a confidentiality incident presenting a "risk of serious injury" under Section 3.5 of the Private Sector Act, the Provincial Financial Institution must notify the Authority of the incident at the same time as the Commission d'accès à l'information.

4. Keep the Authority informed of developments in the information security incident

  • The Provincial Financial Institution must notify the Authority of developments in the situation not later than every three days until a notice is sent to the Authority confirming that the incident is under control and that operations have returned to normal.

5. Submit an incident report to the Authority

The Provincial Financial Institutionshall send a report to the Authority within 30 days following the date the notice is sent to the Authority confirming that the incident is under control and that operations have returned to normal.

The report shall, in particular:

  • Identify the source and the type of incident;
  • Provide an assessment regarding a potential recurrence of the incident;
  • Describe the actions taken to reduce the likelihood of incidents of a similar nature occurring in the future.

6. Maintain an information security incident register

  • The Provincial Financial Institution must maintain a current information security incident register that shall include, for each incident: the date, time and location of the incident, the nature of the incident, a detailed description of the incident, any injury caused by the incident, any third parties involved, the actions taken, whether the residual risk is accepted or not accepted and the rationale for accepting or not accepting it, the planned actions and the incident close date.
  • The Provincial Financial Institution must keep the information recorded in the register in a secure and confidential manner for a minimum period of five years.

Monetary administrative penalties

The Regulation provides for monetary administrative penalties for non-compliance. The amounts vary depending on the nature of the offence and can range from $250 to $500 for a natural person and from $1,000 to $2,500 for Provincial Financial Institutions.

Conclusion

The adoption of the Regulation imposes an additional regulatory burden on Provincial Financial Institutions. These obligations are in addition to those of other laws, such as the Private Sector Act, that could apply to a given situation, within different parameters. In its Brief entitled Mémoire – Projet de Règlement sur la gestion et le signalement des incidents de sécurité de l'information de certaines institutions financières et des agents d'évaluation du crédit, the Insurance Bureau of Canada rightly pointed out that it is important to consider that the proliferation of frameworks creates risks of duplication and complicates incident management for registrants. Provincial Financial Institutions will need to review and adapt their policies and processes for incident management and pay particular attention to situations that could lead to regulatory overlap in the event of an information security incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More