Federally regulated financial institutions face new technology and cyber incident obligations

Updated requirements may be more onerous than those in PIPEDA, lawyers say

Federally regulated financial institutions face new technology and cyber incident obligations

A federally regulated financial institution (FRFI) that fails to report a cyber incident may now be subject to certain measures imposed by the Office of the Superintendent of Financial Institutions, including enhanced supervisory oversight or inclusion in its watch list.

This new advisory introduces requirements which may be more onerous than the Personal Information Protection and Electronic Documents Act’s reporting requirements for privacy breaches, with the latter’s obligation arising when a person faces a real risk of significant harm, said a blog post by Bernice Karn, Gordon Goodman and Rick Da Costa of Cassels Brock & Blackwell LLP.

“In light of these changes, prudent FRFIs must have designated policies and procedures in place to deal with these incidents as and when they occur and to comply with the updated reporting requirements of OSFI,” said the blog post.

The office’s updated Technology and Cyber Security Incident Reporting advisory amends an FRFI’s disclosure and reporting requirements in the face of technology and cyber security incidents like cyber attacks, extortion threats, third-party outages and data breaches, said a news release. The advisory, which seeks to promote a coordinated and integrated response to such incidents, lists the possible characteristics for a reportable incident.

An FRFI should report such an incident to its lead supervisor and to the Technology Risk Division at the office within 24 hours, then is expected to give the office regular updates of additional information acquired and situation updates such as remediation actions and plans. After the containment, recovery and closure of the incident, the FRFI should then provide the office a report covering the post-incident review and lessons learned.

The new advisory replaces the initial advisory, which was published in January 2019, and which took effect in March 2019.

The office has also updated its Cyber Security Self-Assessment, which determines an FRFI’s ability to respond to a cyber incident in terms of organization and resources, its

manner of managing threats, risks and incidents. FRFIs can grade each area on a scale from non-existent to continuous improvement. This self-assessment, which replaces the initial version published in October 2013, aims to assist FRFIs in being more prepared for cyber threats, which are on the rise.

“Canada's financial institutions are vital to our economy - this new Advisory and Self-Assessment from OSFI will help protect their businesses as well as the stability of the financial sector,” said Peter Routledge, superintendent of financial institutions, in the news release.

Related stories

Free newsletter

Our newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please enter your email address below to subscribe.

Recent articles & video

LSO tribunal finds lawyer guilty of professional misconduct for not cooperating in complaint inquiry

Securities Administrators' new business plan show devotion to preserving investor confidence: lawyer

Ontario heading to mediation for allegedly breaching Aboriginal rights through iGaming launch

Ontario Superior Court of Justice welcomes Charles Chang as new judge

Court refuses to stay wrongful dismissal lawsuit despite arbitration agreement in agency contracts

Waterloo Region District School Board sued for removing former teacher from virtual board meeting

Most Read Articles

LSO bencher Murray Klippenstein suing the regulator for alleged irregularities in equity initiatives

LSO tribunal finds lawyer guilty of professional misconduct for not cooperating in complaint inquiry

LSO will not publish index on equity, diversity, and inclusion in the legal profession

Don Valley legal service exec Marjorie Hiley recognized with street name for community contributions