On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) published updated requirements for all federally regulated financial institutions (FRFIs), including banks and insurance companies, to disclose and report technology or cyber security incidents to OSFI. The updated Advisory on Technology and Cyber Security Incident Reporting (the "2021 Advisory") supersedes the previous Advisory (the "2019 Advisory") that was issued on January 24, 2019 and summarized in our previous bulletin.

The 2021 Advisory, which is effective August 13, 2021, contains a number of key changes from the 2019 Advisory, beginning with a newly defined purpose to support a "coordinated and integrated approach to OSFI's awareness of, and response to, technology and cyber security incidents" at FRFIs. While OSFI has been active in relation to technology and cybersecurity incidents at FRFIs to date, the new purpose statement in the 2021 Advisory suggests that FRFI's should expect potentially increased involvement of OSFI in the context of such incidents going forward.

With the 2021 Advisory, OSFI has also published an updated Cyber Security Self-Assessment to assist FRFIs in determining their "cyber preparedness" and ability to respond to a cyber incident. The updated Cyber Security Self-Assessment supersedes the previous Cyber Security Self-Assessment Guidance that was issued on October 27, 2013. In this bulletin, we review the 2021 Advisory and the updated Cyber Security Self-Assessment.

Revised Criteria for Reporting

The 2021 Advisory defines a technology or cyber security incident to mean an "incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information". This definition captures a broader range of incidents than the definition in the 2019 Advisory. The previous definition of a technology or cyber security incident required there to be a "material" impact, potential or assessed, on the "normal" operations of a FRFI. Further, unlike in the 2019 Advisory, the reporting threshold in the 2021 Advisory does not require the FRFI to assess a technology or cyber security incident as being of a high or critical severity level under its incident management framework, although this has been adapted as a criterion for a reportable incident.

The modified threshold for a reportable incident is also reflected in the updated criteria, which adds new characteristics of a reportable incident and, unlike the 2019 Advisory, does not require impacts or disruptions to be "material" or "significant". These updated criteria for reporting are not exhaustive and any one or more may trigger the reporting obligation in a given scenario.

Revisions to the Criteria for a Reportable Incident

 2019 Advisory  2021 Advisory
 
  • Material consequences to other FRFIs or the Canadian financial system.
  
  • Impact has potential consequences to other FRFIs or the Canadian financial system.
 
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure).
  • Impact to FRFI systems affecting financial market settlement, confirmations or payments (e.g., Financial Market Infrastructure), or impact to payment services.
 
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data.
  
  • Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information.
 
  • Significant levels of system / service disruptions.
  • Extended disruptions to critical business systems / operations.
  
  • Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity.
 
  • Significant operational impact to key/critical information systems or data.
  
  • Operational impact to key/critical systems, infrastructure or data.
 
  • Significant operational impact to internal users that is material to customers or business operations.
  
  • Operational impact to internal users, and that poses an impact to external customers or business operations.
 
  • Number of external customers impacted is significant or growing.
  
  • Number of external customers impacted is growing.
 
  • Negative reputational impact is imminent (e.g., public/media disclosure).
  
  • Negative reputational impact is imminent (e.g., public and/or media disclosure).
 
  • Significant impact to a third party deemed material to the FRFI.
  
  • Impact to a third party affecting the FRFI.
 
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

 

  • A FRFI incident has been reported to:
  • the Office of the Privacy Commissioner;
  • another federal government department (e.g., the Canadian Center for Cyber Security);
  • other local or foreign supervisory or regulatory organizations or agencies;
  • any law enforcement agencies;
  • has invoked internal or external counsel.
 

 

  • Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI.
  • A FRFI's technology or cyber incident management team or protocols have been activated.
  • An incident that has been reported to the Board of Directors or Senior/Executive Management.
  • A FRFI incident for which a Cyber insurance claim has been initiated.
  • An incident assessed by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI's internal assessment.
  • Technology or cyber security incidents that breach internal risk appetite or thresholds.

 

As a general point, the updated Advisory also notes that "[f]or incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution". The 2021 Advisory maintains the previous guidance that in a scenario where an FRFI is in doubt as to whether an incident should be reported, the FRFI should consult their Lead Supervisor at OSFI. It also largely maintains a non-exhaustive list of examples of reportable incidents. However, in line with the reporting criteria above, for the example of a material third party being breached and the FRFI being notified that the third party is investigating, the impact description is updated so that a possible impact to FRFI data no longer needs to be "material" for the incident to be reportable.

Timing and Form for Reporting

The 2021 Advisory requires FRFIs to report a technology or cyber security incident to OSFI's Technology Risk Division and their Lead Supervisor at OSFI within 24 hours, or sooner if possible. This is shorter than the 72-hour timeline in the 2019 Advisory and in many cases will mean that an FRFI will have only preliminary information about an incident.

Incidents must be reported using the new Incident Reporting and Resolution Form appended to the 2021 Advisory. In contrast to the 2019 Advisory, which only set out the expected details of a written response, the new Form contains pre-set response options and asks for specific incident details, including whether cyber insurance has been accessed. Although subsequent reporting requirements remain largely the same, including providing regular updates to OSFI when new information becomes available, the expectation is now to provide all incident details rather than only material incident details.

Failure to Report

The 2021 Advisory sets out new potential consequences for failing to report incidents, including increased supervisory oversight that could be in the form of enhanced monitoring activities, being placed on a watch list, or being assigned to a stage in OSFI's supervisory intervention approach. The potential burdens associated with increased supervision could be significant.

Cyber Security Self-Assessment

The updated Cyber Security Self-Assessment notes that its changes are a reflection of the current environment in which the "increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile" for FRFIs, and the "digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment".

The updated Self-Assessment has new cyber risk rating levels to help assess the maturity of individual security controls. Whereas the definitions for the previous cyber risk rating levels focused more on the degree of implementation, the definitions for the new cyber risk rating levels focus more on the quality of implementation, such as the degree to which the performance of controls are evaluated. This is also reflected in the various changes to the controls, which now include sections on topics such as cloud service providers.

Importantly, the updated Self-Assessment affirms that OSFI will be establishing new guidance for the "sound management of technology and cyber risk" and that the Self-Assessment will supplement this guidance. Given OSFI's greater attention to cyber security, the Self-Assessment may be viewed by OSFI as an expected practice. It may also set a standard against which other organizations may measure their cyber security preparedness.

Takeaways for FRFIs and Service Providers

FRFIs should ensure they are in compliance with the 2021 Advisory by reviewing and revising their incident management frameworks, including related policies and procedures, to incorporate the new thresholds and requirements. This may require revisiting existing agreements with third party service providers and related agreement templates to ensure that their provisions and mechanisms facilitate the FRFI's ability to satisfy its incident disclosure and reporting obligations, particularly with respect to the new lowered threshold for reportability and shorter timeline for reporting incidents.

Similarly, service providers that provide information technology and other services to FRFIs may wish to update their Canadian financial industry templates to pre-empt the concerns of financial industry customers, and should expect that such customers may ask to amend existing agreements to be more in line with updated Advisory. In considering such modifications, FRFIs and service providers should also be mindful of the provisions of OSFI's updated Cyber Security Self Assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.