OSFI releases new reporting guidelines for technological and cyber security incidents
The Office of the Superintendent of Financial Institutions (OSFI), regulator of federally registered banks and insurers, trust and loan companies, and private pension plans subject to federal oversight, issued an Advisory on Technology and Cyber Security Incident Reporting on 24 January 2019. The new guidelines, effective 31 March 2019, will apply to all federally regulated financial institutions (FRFIs) and supersede any prior guidance on cyber security incident reporting released by OSFI.
Under the new guidance, technology or cyber security incidents of a “high or critical severity level” should be reported to OSFI “as promptly as possible, but no later than 72 hours”. The FRFI has discretion to determine incident materiality, with OSFI noting that “FRFIs should define incident materiality in their incident management framework”. However, OSFI does provide a list of criteria that may apply to a “reportable incident”, which includes the following:
- Significant operational impact to critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g. public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems;
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system; and
- The incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
The initial incident notification to OSFI should include details regarding the date/time at which the incident was assessed to be material, as well as information regarding when the incident initially took place, the severity and type (i.e. malware, data breach, extortion) of the incident, the current status of the incident as well as planned mitigation actions, and the date of internal incident escalation to senior management and/or board members. Reporting obligations are ongoing, with OSFI expecting the FRFI to provide regular updates as new information becomes available. Following the incident, FRFIs are obligated to provide OSFI with a post-incident review report, which includes lessons learned.
Cyber liability insurance contains valuable first party coverage that can help businesses mitigate the financial effects of both technology and cyber risk. If a company experiences a data breach or covered cyber security incident, cyber insurance could respond to provide coverage for expenses associated with reporting to and communicating with regulatory, supervisory or administrative authorities, such as OSFI. A cyber policy may also respond to provide first party breach response services and indemnity for related notification and credit/identity theft monitoring costs. Third-party liability coverage may also be available for settlement and judgment amounts, as well as legal fees, in the event that the organization later faces a civil lawsuit or regulatory investigation or proceeding stemming from a cyber security incident.