Federally regulated financial institutions face new technology and cyber incident obligations

Updated requirements may be more onerous than those in PIPEDA, lawyers say

Federally regulated financial institutions face new technology and cyber incident obligations

A federally regulated financial institution (FRFI) that fails to report a cyber incident may now be subject to certain measures imposed by the Office of the Superintendent of Financial Institutions, including enhanced supervisory oversight or inclusion in its watch list.

This new advisory introduces requirements which may be more onerous than the Personal Information Protection and Electronic Documents Act’s reporting requirements for privacy breaches, with the latter’s obligation arising when a person faces a real risk of significant harm, said a blog post by Bernice Karn, Gordon Goodman and Rick Da Costa of Cassels Brock & Blackwell LLP.

“In light of these changes, prudent FRFIs must have designated policies and procedures in place to deal with these incidents as and when they occur and to comply with the updated reporting requirements of OSFI,” said the blog post.

The office’s updated Technology and Cyber Security Incident Reporting advisory amends an FRFI’s disclosure and reporting requirements in the face of technology and cyber security incidents like cyber attacks, extortion threats, third-party outages and data breaches, said a news release. The advisory, which seeks to promote a coordinated and integrated response to such incidents, lists the possible characteristics for a reportable incident.

An FRFI should report such an incident to its lead supervisor and to the Technology Risk Division at the office within 24 hours, then is expected to give the office regular updates of additional information acquired and situation updates such as remediation actions and plans. After the containment, recovery and closure of the incident, the FRFI should then provide the office a report covering the post-incident review and lessons learned.

The new advisory replaces the initial advisory, which was published in January 2019, and which took effect in March 2019.

The office has also updated its Cyber Security Self-Assessment, which determines an FRFI’s ability to respond to a cyber incident in terms of organization and resources, its

manner of managing threats, risks and incidents. FRFIs can grade each area on a scale from non-existent to continuous improvement. This self-assessment, which replaces the initial version published in October 2013, aims to assist FRFIs in being more prepared for cyber threats, which are on the rise.

“Canada's financial institutions are vital to our economy - this new Advisory and Self-Assessment from OSFI will help protect their businesses as well as the stability of the financial sector,” said Peter Routledge, superintendent of financial institutions, in the news release.

Related stories

Free newsletter

Our newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please enter your email address below to subscribe.

Recent articles & video

Upcoming FACL conference focused on AI’s impact on profession, advancing careers of Asian lawyers

Legal Innovation Zone launches program to help legal tech entrepreneurs turn ideas into businesses

Law Foundation of Ontario forms strategic partnership with Indigenous Peoples Resilience Fund

Ontario Superior Court upholds the College of Physiotherapists’s authority over billing inaccuracies

Housing supply needs more public-private collaboration, less red tape, say lawyers

Judicial vacancies holding up construction litigation: litigators

Most Read Articles

Ontario Court of Appeal resolves access rights between parents and maternal grandparents

Ontario Court of Appeal upholds dismissal of statute-barred personal injury claim

Judicial vacancies holding up construction litigation: litigators

With new federal funding Pro Bono Ontario expanding program for Ukrainian nationals across Canada