Featured OSFI Cybersecurity Guidance And Notification Requirements - Technology

Published on September 1st, 2021 📆 | 5801 Views ⚑

0

OSFI Cybersecurity Guidance And Notification Requirements – Technology


iSpeech

Canada:

OSFI Cybersecurity Guidance And Notification Requirements

31 August 2021

Bennett Jones LLP

To print this article, all you need is to be registered or login on Mondaq.com.

OSFI, the Canadian Federal Office of the Superintendent of
Financial Institutions, on August 13, 2021, issued new guidance
on Technology and Cyber Security Incident
Reporting, replacing prior guidance of March 2019.

The new guidance steps up and clarifies reporting requirements
by Federally Regulated Financial Institutions (FRFI's) in the
event of technology or cybersecurity incidents which affect their
operations. Federally Regulated Financial Institutions includes,
for example: banks, federally incorporated or registered trust and
loan companies, insurance companies and pension plans subject to
federal oversight. It does not otherwise include guidance on
OSFI's expectations for incident response management.
Simultaneously, OSFI published a self-assessment memo for
use by FRFI's dealing with preparedness, updating prior
guidance from 2013.

For the guidance's purposes, "technology or
cybersecurity incident" is defined as an incident that has an
impact, or the potential to have an impact on the operations of a
FRFI, including its confidentiality, integrity or the availability
of its systems and information.

"A reportable incident may have any one or
more of the following characteristics:





  • Impact has potential consequences to other FRFIs or the
    Canadian financial system;
  • Impact to FRFI systems affecting financial market settlement,
    confirmations or payments (e.g., Financial Market Infrastructure),
    or impact to payment services;
  • Impact to FRFI operations, infrastructure, data and/or systems,
    including but not limited to the confidentiality, integrity or
    availability of customer information;
  • Disruptions to business systems and/or operations, including
    but not limited to utility or data centre outages or loss or
    degradation of connectivity;
  • Operational impact to key/critical systems, infrastructure or
    data;
  • Disaster recovery teams or plans have been activated or a
    disaster declaration has been made by a third party vendor that
    impacts the FRFI;
  • Operational impact to internal users, and that poses an impact
    to external customers or business operations;
  • Number of external customers impacted is growing; negative
    reputational impact is imminent (e.g., public and/or media
    disclosure);
  • Impact to a third party affecting the FRFI;
  • A FRFI's technology or cyber incident management team or
    protocols have been activated;
  • An incident that has been reported to the Board of Directors or
    Senior/Executive Management;
  • A FRFI incident has been reported to:
    • the Office of the Privacy Commissioner;
    • another federal government department (e.g., the Canadian
      Center for Cyber Security);
    • other local or foreign supervisory or regulatory organizations
      or agencies;
    • any law enforcement agencies;
    • has invoked internal or external counsel
  • A FRFI incident for which a Cyber insurance claim has been
    initiated;
  • An incident assessed by a FRFI to be of a high or critical
    severity, level or ranked Priority/Severity/Tier 1 or 2 based on
    the FRFI's internal assessment; or
  • Technology or cyber security incidents that breach internal
    risk appetite or thresholds.
  • For incidents that do not align with or contain the specific
    criteria listed above, or when a FRFI is uncertain, notification to
    OSFI is encouraged as a precaution."

A list of reportable examples is also provided in the
guidance.

Initial notification must be made in writing (electronic
to OSFI's Technology Risk Division as well as the FRFI's
lead supervisor at OSFI within 24 hours, or sooner if
possible. OSFI provides template notification and
fact-reporting forms along with the Guidance.

OSFI expects to remain updated by the affected FRFI regularly
until all details about the incident have been provided, including
reports of remediation actions and plans, post-incident analyses
and lessons learned.

Failure to report fully or timely may result in increased
supervisory oversight including but not limited to enhanced
monitoring activities, watch-listing or staging of the FRFI.

While OSFI standards require compliance by Federally Regulated
Financial Institutions, they also provide a bellwether for other
industries' reasonable security standards. In some sense, the
raising of the bar with respect to cybersecurity in a variety of
industrial regulatory settings also tends to raise the bar for
unregulated and adjacent industries in that the expectations of
what is a reasonable response to a data security incident can be
elevated. The guidance document is mandatory for FRFI's but may
also be instructive for other industries.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from Canada

Binance's Exit From Ontario Amid Regulatory Action By OSC

Rotfleisch & Samulovitch P.C.

In June 2021, facing the threat of regulatory sanctions by the Ontario Securities Commission, the cryptocurrency-exchange giant Binance updated its terms of use, declaring Ontario, Canada, a "restricted jurisdiction."

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑