Federally regulated financial institutions face new technology and cyber incident obligations

Updated requirements may be more onerous than those in PIPEDA, lawyers say

Federally regulated financial institutions face new technology and cyber incident obligations

A federally regulated financial institution (FRFI) that fails to report a cyber incident may now be subject to certain measures imposed by the Office of the Superintendent of Financial Institutions, including enhanced supervisory oversight or inclusion in its watch list.

This new advisory introduces requirements which may be more onerous than the Personal Information Protection and Electronic Documents Act’s reporting requirements for privacy breaches, with the latter’s obligation arising when a person faces a real risk of significant harm, said a blog post by Bernice Karn, Gordon Goodman and Rick Da Costa of Cassels Brock & Blackwell LLP.

“In light of these changes, prudent FRFIs must have designated policies and procedures in place to deal with these incidents as and when they occur and to comply with the updated reporting requirements of OSFI,” said the blog post.

The office’s updated Technology and Cyber Security Incident Reporting advisory amends an FRFI’s disclosure and reporting requirements in the face of technology and cyber security incidents like cyber attacks, extortion threats, third-party outages and data breaches, said a news release. The advisory, which seeks to promote a coordinated and integrated response to such incidents, lists the possible characteristics for a reportable incident.

An FRFI should report such an incident to its lead supervisor and to the Technology Risk Division at the office within 24 hours, then is expected to give the office regular updates of additional information acquired and situation updates such as remediation actions and plans. After the containment, recovery and closure of the incident, the FRFI should then provide the office a report covering the post-incident review and lessons learned.

The new advisory replaces the initial advisory, which was published in January 2019, and which took effect in March 2019.

The office has also updated its Cyber Security Self-Assessment, which determines an FRFI’s ability to respond to a cyber incident in terms of organization and resources, its

manner of managing threats, risks and incidents. FRFIs can grade each area on a scale from non-existent to continuous improvement. This self-assessment, which replaces the initial version published in October 2013, aims to assist FRFIs in being more prepared for cyber threats, which are on the rise.

“Canada's financial institutions are vital to our economy - this new Advisory and Self-Assessment from OSFI will help protect their businesses as well as the stability of the financial sector,” said Peter Routledge, superintendent of financial institutions, in the news release.

Related stories

Free newsletter

Our newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please enter your email address below to subscribe.

Recent articles & video

Mother loses contact after sabotaging reunification counselling with false abuse allegations: court

Employers must lead by example and practice diversity in thought: labour lawyer

Pandemic highlighted benefits of podcasting as law firm education tool: legal tech company

Queen's Law's student government president is the first ever elected to second term

Ontario doctor owes no duty of care to future child for pre-conception negligence: appellate court

Brian Temins is new managing partner of Minden Gross LLP

Most Read Articles

Brian Temins is new managing partner of Minden Gross LLP

Lawyer launches Coach My Case Self-rep tool to tackle access to justice crisis

Employers must lead by example and practice diversity in thought: labour lawyer

Ontario doctor owes no duty of care to future child for pre-conception negligence: appellate court