{"id":5976,"date":"2021-09-13T16:31:11","date_gmt":"2021-09-13T20:31:11","guid":{"rendered":"https:\/\/www.millerthomson.com\/osfi-updates-cybersecurity-breach-notification-requirements\/"},"modified":"2026-03-10T15:49:58","modified_gmt":"2026-03-10T19:49:58","slug":"osfi-updates-cybersecurity-breach-notification-requirements","status":"publish","type":"post","link":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/osfi-updates-cybersecurity-breach-notification-requirements\/","title":{"rendered":"OSFI updates cybersecurity breach notification requirements"},"content":{"rendered":"\n

The Office of the Superintendent of Financial Institutions (\u201cOSFI<\/strong>\u201d) released a new Advisory on Technology and Cyber Security Incident Reporting<\/a>, effective August 13, 2021 (the \u201cAdvisory<\/strong>\u201d) which seeks to govern how federally-regulated financial institutions (\u201cFRFIs<\/strong>\u201d) should disclose and report technology and cybersecurity incidents. The Advisory replaces its January 2019 predecessor, on which we have previously commented<\/a>. The requirements are in addition to any potential privacy breach reporting requirements that institutions may be subject to under the federal Personal Information Protection & Electronic Documents Act <\/em>(\u201cPIPEDA<\/strong>\u201d) or provincial privacy legislation such as Alberta\u2019s Personal Information Protection Act<\/em>.<\/p>\n\n\n\n

An increased role for OSFI?<\/h2>\n\n\n\n

According to OSFI, the purpose of the current Advisory is to provide a \u201ccoordinated and integrated approach to OSFI\u2019s awareness of, and response to, technology and cyber security incidents\u201d at FRFIs, indicating a more pronounced role for OSFI in addressing cyber preparedness. While the Advisory sets out OSFI\u2019s current incident reporting requirements in detail, it is noteworthy that OSFI does not specify any explicit expectations in relation to what an incident management framework should look like. Accordingly, each FRFI appears to have some degree of discretion as to how to structure its own framework, provided that the reporting requirements prescribed by the Advisory are met.<\/p>\n\n\n\n

Changes to mandatory incident reporting requirements<\/h2>\n\n\n\n

There have been significant changes to the reporting requirements such that reporting is likely to occur more promptly and with greater frequency where a cybersecurity incident transpires.<\/p>\n\n\n\n

Reports to be provided within 24h<\/h3>\n\n\n\n

Firstly, the Advisory requires FRFIs to report a technology or cyber security incident to OSFI\u2019s Technology Risk Division and their Lead Superior at OSFI within 24 hours, or sooner if possible. This timeline has been shortened from the previous 72-hour window. OSFI recognizes that the shortened timeline will likely mean that information requested remains unavailable and provides guidance for how to report such initial information accordingly. It also includes subsequent reporting requirements as new information becomes available.<\/p>\n\n\n\n

Reporting form<\/h3>\n\n\n\n

Incidents must be reported using a new Incident Reporting and Resolution form<\/a>, shown in Appendix II of the Advisory. The form serves as a more streamlined process from the former advisory which solely outlined the expected details of a response.<\/p>\n\n\n\n

More extensive reporting criteria<\/h3>\n\n\n\n

The Advisory\u2019s criteria for reporting is more extensive, which will result in more incidents being reported. Under the Advisory, a reportable incident may have a number of characteristics including any one or more of the following:<\/p>\n\n\n\n