OSFI Advisory tightens technology and cyber security incident reporting requirements
The Office of the Superintendent of Financial Institutions (OSFI) just released updated requirements governing how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI. The Advisory, which affects federally regulated banks, insurance companies, and credit unions, replaces the January 2019 Cyber Security Incident Reporting Advisory, which came into effect in March 2019. With the simultaneous release of OSFI’s updated Cyber Security Self-Assessment, OSFI has considerably tightened its requirements demonstrating an increasing concern with the potential impacts of cybersecurity on the financial system and on individual financial institutions.
The changes made by OSFI in the updated advisory will require FRFI’s to make changes to their internal incident management processes and agreements and templates used with third party service providers. The changes can be seen in the redline comparing the 2019 with the 2021 Advisory shown below.
Some of the significant changes are summarized below.
The Advisory contains a new explicit purpose, which is to support “a coordinated and integrated approach to OSFI’s awareness of, and response to, technology and cyber security incidents at Federally Regulated Financial Institutions (FRFIs)”.
This Advisory defines a “technology or cyber security incident” “as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.” This replaces the definition in the prior advisory which targeted incidents with only the “potential to, or has been assessed to, materially impact the normal operations of a FRFI”.
The Advisory also changes the threshold and timing for reporting security incidents to OSFI. The prior advisory required incidents to be reported if they were assessed by the FRFI to be “of a high or critical severity level”. Under the Advisory, FRFIs must report any technology or cyber security incident to OSFI. The Advisory requires reporting “within 24 hours, or sooner if possible”. As written, it appears to require incident reporting even before the FRFI is aware of the incident or has had an opportunity to confirm or classify its severity level. This is a change from the requirement under the prior advisory to report an incident “as promptly as possible, but no later than 72 hours” after determining an incident is reportable. The new reporting requirement is much stricter than under PIPEDA under which notifications must “be given as soon as feasible after the organization determines that the breach has occurred”.
OSFI also made significant changes to the criteria for reporting an incident. The reporting criteria are both more numerous and include criteria that will likely also result in more incidents being reportable. Under the Advisory, a reportable incident may have any one or more of the following characteristics:
- Impact has potential consequences to other FRFIs or the Canadian financial system;
- Impact to FRFI systems affecting financial market settlement, confirmations or payments (e.g., Financial Market Infrastructure), or impact to payment services;
- Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information;
- Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity;
- Operational impact to key/critical systems, infrastructure or data;
- Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI;
- Operational impact to internal users, and that poses an impact to external customers or business operations;
- Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure);
- Impact to a third party affecting the FRFI;
- A FRFI’s technology or cyber incident management team or protocols have been activated;
- An incident that has been reported to the Board of Directors or Senior/Executive Management;
- A FRFI incident has been reported to:
- the Office of the Privacy Commissioner;
- another federal government department (e.g., the Canadian Center for Cyber Security);
- other local or foreign supervisory or regulatory organizations or agencies;
- any law enforcement agencies;
- has invoked internal or external counsel
- A FRFI incident for which a Cyber insurance claim has been initiated;
- An incident assessed by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI’s internal assessment; or
- Technology or cyber security incidents that breach internal risk appetite or thresholds.
- For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.
Appendix 1 to the Advisory contains a non-exhaustive list of examples of reportable incidents, scenario descriptions, and impacts. Scenarios include cyber attacks, service availability and recovery, third party breach, and extortion threats.
As with the prior advisory, FRFIs are required to provide updates following the initial disclosure to OSFI. The prior advisory required reporting until “all material details about the incident have been provided”. The Advisory dropped the materiality standard.The prior advisory contained a detailed listing of what information had to be reported to OSFI. The Advisory replaced this list with a new Incident Reporting and Resolution Form.
The Advisory now also contains a new potential sanction for FRFIs who don’t report incidents as expected in the Advisory. Now a “Failure to report incidents as outlined above may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI”.
Many organisations carrying on business in Canada are already subject to data breach reporting obligations such as the generally applicable breach of security safeguard notice obligations under Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires notices to the Privacy Commissioner and individuals where “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”, as defined in PIPEDA.
FRFI’s have had additional reporting requirements to their regulator (OSFI) since March 2019. The Advisory updates these requirements making the reporting threshold lower. Further, while cybersecurity is a major focus of the Advisory, it also includes risks associated with technology failures which considerably expands the types of incidents that must be reported.
The Advisory obligations are on top of other security obligations mandated by OSFI for FRFI’s. For example, under the OSFI B-10 Outsourcing Guideline, FRFI’s are expected to contract for security by the service provider that “would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances”. OSFI also “expects appropriate security and data confidentiality protections to be in place.” OSFI also encourages FRFIs to use its updated Cyber Security Self-Assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices.
The Advisory will require FRFI’s to update their internal technology and cyber security incident policies and procedures to ensure that reporting is made to OSFI when required. Further, as almost all federally regulated financial institutions in Canada rely on third parties to provide them with services, such as outsourcing, SAAS, payment processing, and cloud services, contracts with third parties may well need to be updated to meet these new requirements. Template agreements may also require some updates.
A link to the PDF that compares the updated Advisory to the prior advisory can be found here.
This article was first posted on www.barrysookman.com.