The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory becomes effective on March 31, 2019.
OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system/service disruptions;
- Extended disruptions to critical business systems/operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.
How Do the Reporting Obligations Differ?
Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.
Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.
It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.
Below is a comparison chart noting the differences (or similarities) between reporting obligations:
| Breach of Security Safeguards Regulations | OSFI Advisory | |
| Who does it apply to? | All Organizations. | All Federally Regulated Financial Institutions. |
| Who is a breach reported to? | The organization must report the breach to the OPC, but also notify affected individuals. | The FRFIs must report the breach to its Lead Supervisor as well as TRD@osfi-bsif.gc.ca |
| When is a breach reported? | As soon as feasible after the organization determines the breach has occurred. | As soon as possible, but no later than 72 hours after determining an incident has occurred. |
| What type of breach is reported? | A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. | Incidents that have a material operational impact to the integrity or availability of information systems. |
| What type of information must be included in the report? | A description of the circumstances of the breach and, if known, the cause;
The day or the period in which the breach occurred; A description of the personal information that was involved in the breach; An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm; The steps that the organization has taken to reduce the risk of harm to the impacted individuals; The steps that the organization has taken, or will take, to notify impacted individuals; and The name and contact information of a person the OPC can liaison with. |
Date and time the incident was assessed to be material;
Date and time/period the incident took place; Incident severity and type (e.g. DDoS, malware, data breach, extortion); A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.); Primary method used to identify the incident; Current status of incident; Date for internal incident escalation to senior management or Board of Directors; Mitigation actions taken or planned; Known or suspected root cause; and Name and contact information for the FRFI incident executive lead and liaison with OSFI. |
We’re Here To Help
If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.