Updated requirements may be more onerous than those in PIPEDA, lawyers say
A federally regulated financial institution (FRFI) that fails to report a cyber incident may now be subject to certain measures imposed by the Office of the Superintendent of Financial Institutions, including enhanced supervisory oversight or inclusion in its watch list.
This new advisory introduces requirements which may be more onerous than the Personal Information Protection and Electronic Documents Act’s reporting requirements for privacy breaches, with the latter’s obligation arising when a person faces a real risk of significant harm, said a blog post by Bernice Karn, Gordon Goodman and Rick Da Costa of Cassels Brock & Blackwell LLP.
“In light of these changes, prudent FRFIs must have designated policies and procedures in place to deal with these incidents as and when they occur and to comply with the updated reporting requirements of OSFI,” said the blog post.
The office’s updated Technology and Cyber Security Incident Reporting advisory amends an FRFI’s disclosure and reporting requirements in the face of technology and cyber security incidents like cyber attacks, extortion threats, third-party outages and data breaches, said a news release. The advisory, which seeks to promote a coordinated and integrated response to such incidents, lists the possible characteristics for a reportable incident.
An FRFI should report such an incident to its lead supervisor and to the Technology Risk Division at the office within 24 hours, then is expected to give the office regular updates of additional information acquired and situation updates such as remediation actions and plans. After the containment, recovery and closure of the incident, the FRFI should then provide the office a report covering the post-incident review and lessons learned.
The new advisory replaces the initial advisory, which was published in January 2019, and which took effect in March 2019.
The office has also updated its Cyber Security Self-Assessment, which determines an FRFI’s ability to respond to a cyber incident in terms of organization and resources, its
manner of managing threats, risks and incidents. FRFIs can grade each area on a scale from non-existent to continuous improvement. This self-assessment, which replaces the initial version published in October 2013, aims to assist FRFIs in being more prepared for cyber threats, which are on the rise.
“Canada's financial institutions are vital to our economy - this new Advisory and Self-Assessment from OSFI will help protect their businesses as well as the stability of the financial sector,” said Peter Routledge, superintendent of financial institutions, in the news release.