Co-authored by Philippe Dalmau, Summer Law Student

On October 23, 2024, the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (available in French only) was published. It will come into force in April 2025.

The regulation sets out a framework for the management and reporting of information security incidents for certain financial institutions and credit assessment agents that are subject to various enabling statutes, including:

  1. Insurers authorized under the Insurers Act (chapter A-32.1) and federations of mutual companies that are subject thereto.
  2. Federations and credit unions not members of a federation that are subject to the Act respecting financial services cooperatives (chapter C-67.3).
  3. Deposit institutions authorized under the Deposit Institutions and Deposit Protection Act (chapter I-13.2.2).
  4. Trust companies authorized under the Trust Companies and Savings Companies Act (chapter S-29.02).
  5. Credit assessment agents designated under the Credit Assessment Agents Act (chapter A-8.2).

This regulation, which specifically applies to institutions governed by the Autorité des marchés financiers, overlaps with the personal information requirements set out under the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) under the supervision of the Commission d'accès à l'information du Québec.

To help organizations understand these two parallel regimes and support them in their compliance efforts, we have created a comparative chart highlighting the similarities, differences and potential sanctions. Download it now to access this essential and simplified overview.