Reporting Cyber-threats to Financial Institutions
Office of the Superintendent of Financial Institution issue Advisory
On March 31, 2019, the Technology and Cyber Security Reporting Advisory came into effect, setting out the Office of the Superintendent of Financial Institution’s expectation for federally regulated financial institutions (FRFI) with regard to technology or cyber security incidents. A “technology or cyber security incident” is defined as an incident which has “the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.” FRFI’s should report an incident which has a high or critical severity level to OSFI. The Advisory indicated that a “reportable incident” is one that may have:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
An FRFI must give notice to OSFI as promptly as possible, but not later than 72 hours after determining an incident meets the criteria, and must do so in writing. In addition updates must be provided at least daily until all material details have been provided, and until the incident is contained or resolved. The Advisory also goes on to provide four examples of reportable incidents: cyber-attack, service availability and recovery, third party breach, and extortion threat.