The Office of the Superintendent of Financial Institutions ("OSFI") today issued an advisory setting out new guidelines for how federally regulated financial institutions ("FRFI") report technology or cyber security breaches. The Advisory references and complements the cyber security self-assessment guidance OSFI released in 2013.
The advisory affects a wide swath of financial entities, as OSFI has oversight over all banks, federally incorporated or registered trust and loan companies, cooperative credit associations, insurance companies, fraternal benefit societies, private pension plans, and federal cooperatives.
Under the new guidelines, which will go into effect on March 31, 2019, FRFIs are expected to report cyber security or technology-related incident that are of a "high or critical severity level" to OSFI. These are defined as incidents that materially impact the normal operations of an FRFI, including incidents affecting the confidentiality, integrity, or availability of the FRFI's systems or its information.
While OSFI does not explain what constitutes a "material" breach of sufficient severity to warrant a report, it offers some guidance, noting that a reportable incident may have:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system; or
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
If an incident occurs, an FRFI has 72 hours to notify its OSFI Lead Supervisor, and is expected to notify OSFI's Technology Risk Division (TRD) by email (TRD@osfi-bsif.gc.ca). The affected FRFI also has an ongoing obligation to disclose additional information that becomes available, as well as any remediation plans. Once the incident has been satisfactorily addressed, the FRFI is also expected to report with a post-incident review to OSFI, reflecting lessons learned.
The Advisory stems from OSFI's commitment in its 2018-19 Departmental Plan to re-examine OSFI's "role in, and approach to, enhancing cyber security at Canadian financial institutions." OSFI notes in the 2018-19 Plan that its efforts on this front are to take place "within the broader context of Canada's overall cyber strategy," and that its efforts will focus on "deepening its understanding of risk factors arising outside of its direct responsibilities (e.g., financial technologies) and adjusting OSFI's prudential expectations if warranted." Interestingly, Canada's current national cyber security strategy, rolled out in June 2018, says nothing specific about OSFI, and makes only passing reference to financial institutions, in commenting on their value as targets for cyber attacks.
It will be interesting to observe how the guidelines set out by OSFI and other authorities to address emerging cyber security risks mesh with the broader national strategy set out by Public Safety Canada, and how quickly and fully institutions embrace this guidance.