Financial Institutions: OSFI’s Heightened Cyber Security Incident Reporting Obligations Now In Effect
Financial Institutions: OSFI’s Heightened Cyber Security Incident Reporting Obligations Now In Effect
On January 24, 2019, the Office of the Superintendent of Financial Institutions (“OSFI”) published the Technology and Cyber Security Incident Reporting Advisory[1] (the “Advisory”), which sets out OSFI’s expectations for reporting technology and cyber security incidents. The Advisory became effective for all federally regulated financial institutions (“FRFIs”) on March 31, 2019.
The Advisory requires FRFIs to report technology or cyber security incidents that “have the potential to, or have been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. If a FRFI assesses an incident as being of a “high or critical severity level”, the FRFI must notify OSFI as promptly as possible, but no later than 72 hours after the FRFI determines that the incident is reportable. For more details on the reporting process, and how it differs from the breach reporting requirements under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), see our recent publication, “OSFI Boots Up Cyber Safety with its New Advisory on Technology and Cyber Security Incident Reporting”.
In order to ensure compliance with the Advisory and OSFI’s expectations, we recommend several steps including:
- taking a top-down approach to ensure active participation and buy-in to cybersecurity from the executive and board down through employees;
- conducting periodic risk assessments, security audits, and due diligence on vendor and outsourced workers when contracting with them (as well as including written requirements in the contracts);
- designating a program administrator who is accountable to the organization; and
- developing written policies and procedures, including, critically, an incident response plan, based on the above.
Regularly testing internal controls, conducting staff training programs and updating compliance procedures will increase the effectiveness of these recommendations.
Organizations should consult TRC-Sadovod’s Crisis Response Services for additional guidance, and reach out to a member of our team with any further questions.
by Darcy Ammerman, Ryan J. Black, Grace Shaw and Alex Tyzuk (Articled Student)
[1] Available at Technology and Cyber Security Incident Reporting
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© TRC-Sadovod LLP 2019
Insights (5 Posts)View More
Corporate Counsel CPD Webinar | Essential Leadership Practices: Supporting the resilience, engagement, and impact of your team
Join professional coach and certified stress management educator, Marla Warner, for an engaging program that will help you focus on elevating performance outcomes, while supporting your team’s engagement and wellbeing. You will learn how to foster trust and respect in your team, the benefits of “coaching”, and why gratitude, empathy and compassion are the superpowers for leaders in 2023 and beyond.
TRC-Sadovod’s Employment and Labour Webinar 2023
Join us for TRC-Sadovod's annual Employment and Labour Webinar as we review and discuss current trends, emerging employment legal issues and provide practical solutions to help you manage your workforce.
Enforcing Arbitration Agreements: Ontario Superior Court Raises a ‘Clause’ for Concern
This bulletin discusses a recent decision that found that an arbitration clause that contracts out of applicable employment standards legislation is invalid.
Transparency for Talent: Proposed Legislation Would Mandate Salary Range and Artificial Intelligence Disclosure in Hiring Process
Ontario will propose legislation aimed at providing additional transparency to Ontario workers, including salary ranges and use of artificial intelligence.
Environmental Obligations Trump Lenders: The Trend Continues
Re Mantle Materials Group, Ltd continues a recent trend in Alberta in which environmental remediation obligations are found to have a super priority.
Get updates delivered right to your inbox. You can unsubscribe at any time.