Subscribe

Become a member

Get the best offers and updates relating to Liberty Case News.

ï¹¢ Subscribe

― Advertisement ―

spot_img

Thank you for your feedback – In-House Community Congress 2022 -Hong Kong

ihc - 0
Thank you for submitting the feedback form. If you have any questions or require a copy of the slides from speakers at the Hong Kong...

Registration: Use of ODR for businesses, capacity building and in response to COVID-19 pandemic

0

International firm to move to 60 percent office working once offices reopen

0

Praxonomy board portal – Special offer for IHC members

0
HomeOSFI issues advisory on technology and cyber security incident reporting

OSFI issues advisory on technology and cyber security incident reporting

ihc
By ihc
37

JANUARY 28, 2019

Financial Services Bulletin

On January 24, 2019, the Office of the Superintendent of Financial Institutions (OSFI) issued an Advisory on Technology and Cyber Security Incident Reporting.

The Advisory sets out OSFI’s expectations for reporting technological and cyber security incidents. These expectations apply to all federally regulated financial institutions (FRFIs) — including banks, federal trust companies and insurance companies.

The Advisory reflects the fact that OSFI is very focused on technological and cyber security issues. Advancements in information technology and digitisation make this an increasingly significant area of risk. OSFI clearly wants to be kept very informed of material incidents. OSFI expects to receive an initial notification, including significant details, within 72 hours, and to receive frequent updates after that until the incident is resolved. Note that while the Advisory addresses reporting requirements, it does not address OSFI’s expectations for an incident management framework.

The Advisory comes into effect on March 31, 2019 and will supersede any prior instructions for technology and cyber security incident reporting. In the meantime, FRFIs are expected to continue reporting any major incidents in accordance with previous instructions communicated to them.

Criteria for reporting

The Advisory states that Technology or Cyber Security Incidents assessed by a FRFI to be of a high or critical severity level should be reported to OSFI. Incident materiality should be defined in a FRFI’s incident management framework.

The Advisory lists characteristics that a reportable incident may have, including the following:

  • Significant operational impact to key/critical information systems or data; Material impact to FRFI operational or customer data;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent;
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems;
  • Material consequences to other FRFIs or the Canadian financial system and;
  • The incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

The Advisory also contains an Appendix that provides examples of reportable incidents (cyber-attack, service availability and recovery, third party breach and extortion threat).

Initial notification requirements

A FRFI must notify OSFI after determining a Technology or Cyber Security Incident meeting the characteristics set out in the Advisory has occurred as promptly as possible, and within 72 hours. This report is to include significant details, including the following:

  • Date and time the incident was assessed to be material;
  • Date and time/period the incident took place;
  • Incident severity;
  • Incident type;
  • Incident description, including:
    – known direct/indirect impacts including privacy and financial;
    – known impact to one or more business segment, business unit, line of business or regions, including any third party involved;
    – whether incident originated at a third party, or has impact on third party services, and
    – the number of clients impacted.
  • Current status of incident;
  • Date for internal incident escalation to senior management or Board of Directors;
  • Mitigation actions taken or planned; and
  • Known or suspected root cause.

Subsequent reporting requirements

OSFI expects FRFIs to provide regular (eg, daily) updates as new information becomes available. OSFI expects to receive updates, including any short term and long term remediation actions and plans, until the incident is contained/resolved.

OSFI ultimately expects to receive a report on the FRFI’s post incident review and lessons learned.

Authors

Koker Christensen
PARTNER | CO-LEADER FINANCIAL INSTITUTIONS GROUP
Toronto, ON
 Alex Cameron
PARTNER | LEADER, PRIVACY & CYBERSECURITY
Toronto, ON

© 2017 Fasken Martineau DuMoulin LLP
The content of this website may contain attorney advertising under the laws of various states.

Previous article
The new UAE Foreign Direct Investment Law
Next article
Equity crowdfunding: (Another) fundraising alternative

Subscribe for exclusive content

We have a curated list of the most noteworthy news from all across the globe. With any subscription plan, you get access to exclusive articles that let you stay ahead of the curve.

Subscribe

Copyright inhousecommunity