Human Resources Legislative Update

Significant New Incident Reporting Requirement for Federally Regulated Financial Institutions

Human Resources Legislative Update

Significant New Incident Reporting Requirement for Federally Regulated Financial Institutions

Date: February 5, 2019

The Office of the Superintendent of Financial Institutions (OSFI) has recently issued an advisory of significance to federally regulated financial institutions (FRIFs). Beginning on March 31, 2019, FRFIs will be required to report material technology or cyber incidents to OSFI.

An incident is defined as follows:

a technology or cyber security incident is defined to have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information

OSFI expects FRFIs to define materiality in their incident response policies and report what they deem to be of “high or critical severity” within 72 hours of making the determination (not within 72 hours of discovering an incident). OSFI says “a reportable incident may have any of the following characteristics”:

  • Significant operational impact to key / critical information systems or data
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data
  • Significant operational impact to internal users that is material to customers or business operations
  • Significant levels of system / service disruptions
  • Extended disruptions to critical business systems / operations
  • Number of external customers impacted is significant or growing
  • Negative reputational impact is imminent (e.g., public / media disclosure)
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure)
  • Significant impact to a third party deemed material to the FRFI
  • Material consequences to other FRFIs or the Canadian financial system
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local / foreign regulatory authorities.

All FRFIs should have incident response policies that define and structure the response to “incidents.” They should now re-examine these policies and ensure their definition of “incident” encompasses the OSFI definition. They should also expressly note the OSFI reporting requirement and define “materiality” carefully and in a manner that invites every incident to be assessed in light of all the relevant context and circumstances.

A full copy of the advisory is available here. If you have any questions, please contact Dan Michaluk, Jordan Simon or your regular Hicks Morley lawyer.