The Office of the Superintendent of Financial Institutions (OSFI) just published an advisory letter for federally regulated financial institutions (FRFI). The advisory sets out OSFI's expectations for FRFI cybersecurity incident reporting, gives examples of incidents that should be reported to OSFI, and sets out reporting requirements. It will become effective March 31, 2019.
For the purpose of the advisory, a technology or cybersecurity incident is defined "to have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information."
The following characteristics may make an incident reportable:
Some examples of reportable incidents include:
A FRFI must notify its Lead Supervisor and TRD@osfi-bsif.gc.ca as promptly as possible, but no later than 72 hours after determining that an incident is reportable.
The advisory sets out a list of specific information that must be included in the initial report, such as a description of the incident that covers the date and time, type, severity, direct and indirect impacts, origination, number of clients impacted, root cause, current status, and mitigation steps taken.
OSFI also expects FRFIs to provide regular updates as new information becomes available, and until all material details about the incident have been provided. Finally, the FRFI will also need to send a post-incident review and "lessons learned" report to OSFI after the incident is closed.
FRFIs should incorporate the requirements of the advisory into their Incident Response Plan. Testing how the organization would react to a reportable incident (through a tabletop exercise or other simulation) is a key component to ensuring that when an attack happens, the FRFI is ready to comply with its obligations. In advance of an attack, FRFIs should also consider how the reporting obligations under this advisory may impact other regulatory reporting and notification obligations.
If you would like further information or advice in respect of this advisory, or in respect of other cybersecurity matters, please contact Ruth Promislow or Kate Rusk.