On August 13, 2021, the Office of the Superintendent of Financial Institutions (“OSFI“) released an updated Technology and Cyber Security Incident Reporting Advisory (the “New Advisory“) for federally regulated financial institutions (“FRFIs“) which replaces the Technology and Cyber Security Incident Reporting Advisory previously published in January 2019 (the “2019 Advisory“).
The New Advisory potentially lowers the threshold for reporting and expands the scope of reportable incidents. Under the New Advisory, FRFIs who fail to comply with the new reporting requirements could be subject to increased supervisory oversight by OSFI. In connection with the New Advisory, OSFI also released an updated Cyber Security Self-Assessment Tool to assist FRFIs in reviewing their ability to manage technology and cyber risks and to respond to incidents.
The key updates in the New Advisory are:
- New Definition of Technology or Cyber Security Incident – The New Advisory defines a technology or cyber security incident as “an incident that has an impact, or the potential to have an impact on the operations of a FRFI”. This appears to be a lower threshold for reporting than the 2019 Advisory, which defined a reportable incident as an incident having the potential to, or having been assessed to, “materially impact the normal operations of a FRFI”.
- New Characteristics and Criteria for Reporting – Whereas the criteria for reporting set out in the 2019 Advisory included incidents that would have a “significant operational impact”, “material impact”, “extended disruptions” or “material consequences”, the New Advisory has removed these qualifiers. The new criteria no longer require that the impact be significant or material. Under the New Advisory, it appears that any impact to a FRFI’s systems, operations or to the Canadian financial system may trigger the reporting requirement. The New Advisory also expands the list of criteria for reporting. For example, in the 2019 Advisory, one of the criteria was whether an incident had been reported to the Office of the Privacy Commissioner (“OPC“) pursuant to the mandatory reporting of breaches of security safeguards under the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The New Advisory provides that, in addition to reporting to the OPC or law enforcement under PIPEDA, if an incident has invoked internal or external counsel, that the incident may have to be reported.
- Shorter Initial Notification Requirements – Incidents must now be reported within 24 hours, or sooner if possible. This is shorter than the notification requirement under the 2019 Advisory which was to report an incident “as promptly as possible, but no later than 72 hours.” There are no changes to subsequent reporting requirements and OSFI still expects FRFIs to provide situation updates, including any short-term and long-term remediation actions and plans until the incident is contained or resolved. Reports must be made in writing using the template provided in Appendix II to the New Advisory.
- New Consequences of Failure to Report – Under the New Advisory, failure to report a technology or cyber security incident may result in increased oversight by OSFI. Notably, such increased oversight could include watch-listing of the FRFI and staging by OSFI. The 2019 Advisory did not provide for the consequences of a failure to report.
The 2019 Advisory provided that incidents “assessed by a FRFI to be of a high or critical severity level should be reported to OSFI”. Under the New Advisory, this provision is now included in the expanded criteria for reporting. OSFI advises that if a FRFI is uncertain whether to report an incident, the FRFI should consult their OSFI Lead Supervisor.
The obligation of FRFIs to report a technology or cyber security incident under the New Advisory is in addition to its obligations under applicable privacy legislation to report a breach of security safeguards.
The updates to the New Advisory may require FRFIs to review and update their policies and procedures related to technology and cyber security as well as outsourcing arrangements given that FRFIs will be expected to report incidents of third-party vendors that may affect the FRFI.