On January 20, 2019, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued an Advisory (also read: OSFI’s Guidance on cyber incident management framework) regarding the responsibilities of federally regulated financial institutions (FRFI), including banks, federal credit unions, and loan and trust companies, to report Technology and Cyber incidents (effective date: March 31, 2019). The threshold for reporting is a “high” or “critical” severity level. The assessment is to be made by the institution itself.
Notification to the Lead Supervisor must be made within 72 hours (similar to the notification timelines under the European General Data Protection Regulation (GDPR) for incidents involving personal information). Since November 1, 2018, breaches involving personal information are reportable under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) but PIPEDA does not prescribe a precise notification timeline.
It is important to note that reportable cyber incidents under this OSFI Advisory go far beyond those breaches that involve or impact customer or personal information. The Advisory sets out examples of incident characteristics institutions should consider reportable:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system/service disruptions;
- Extended disruptions to critical business systems/operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system; and
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
The institution must also notify the OSFI Technology Risk Division and the Lead Supervisor in writing as soon as possible, provide regular updates on the incident if and when new information emerges as well as on progress on remediation and mitigation. These reports must continue until the incident is contained and resolved.
When facing cyber/technology incidents there are now potentially a number of related but separate reporting and notification requirements for FRFIs to consider, in particular as they relate to incidents involving both personal information and other negative reputational, operational, financial or systems impact. That is, reporting may be required under PIPEDA, to the OSFI, neither, or both, potentially even under the GDPR, and using a different analysis as to why an incident requires a report or public notification.