February 26, 2019 / 9:18 PM / 7 months ago

IMPACT ANALYSIS: Canadian regulator sets new cyber-incident obligations for banks, insurers

NEWYORK(Thomson Reuters Regulatory Intelligence) - The Office of the Superintendent of Financial Institutions (OSFI), Canada’s prudential regulator, is taking an increasingly active interest in cyber-risk management practices at the country’s banks and insurers. OSFI recently introduced new cyber incident reporting obligations for all federally regulated financial institutions that will require firms to review and possibly revise existing incident response management protocols.

Employees of SMBC Nikko Securities Inc. work using only LED desk lights, during daytime at the company office in Tokyo June 30, 2011, a day before a target to cut electricity use by 15 percent in regions affected by Japan's March 11 earthquake and tsunami takes effect.

OSFI’s increased attention to cyber-risk management comes at a time when regulators are becoming more aware of the need to stay informed of cyber incidents at individual organizations.


Cyber risks are being increasingly viewed as systemically significant by regulators as well as by risk and compliance professionals. In a paper published last year{here}, the International Monetary Fund (IMF) described cyber risk as a key threat to financial stability. The frequency and severity of cyber incidents at financial institutions around the world is increasing aggressively. Many organizations have suffered losses from data breaches, fraud and other business disruption related to cyber incidents.

Industry surveys conducted by the IMF also reveal that cyber risk is a main concern among market participants in the financial sector.

In the working paper, the IMF cited a global cybersecurity index from the U.N. International Telecommunication Union. Countries such as Canada, the United States and the European Union were among jurisdictions deemed to be most at risk for cyber attacks.

The IMF has called on regulators to consider policies to mitigate cyber risk, such as updating supervisory frameworks to account for cyber-related systemic issues. A need for regulators to monitor and assess vulnerabilities related to cyber risk was also highlighted as priority. As a result, financial regulators are increasingly recognizing that they must stay closely informed of cyber incidents at individual financial institutions as they unfold.

Cybersecurity has popped up on OSFI’s list of regulatory priorities over the past few years. In its 2018-2019 departmental plan, OSFI indicated that it would be re-examining its role in overseeing cyber risk management practices this year.


Last month, OSFI published an advisory letter{here} on technology and cybersecurity incident reporting. The letter clarifies OSFI's regulatory expectations for federally regulated financial institutions and contains new cyber incident reporting obligations, which will be effective from March 31, 2019.

The new reporting obligations are meant to complement OSFI's existing Cyber Security Self-Assessment Guidance{here}.

Under the new requirements, federally regulated banks and insurers are required to report technology or cybersecurity incidents to OSFI. OSFI defines such incidents as events that have the potential to, or have been assessed to, materially impact the normal operations of a financial institution.

Firms are responsible for assessing technology and cybersecurity incidents; incidents assessed to have a high or critical severity level must be reported to OSFI.

The advisory letter sets out a list of criteria for reporting. Most of the criteria raised by OSFI focus on potential adverse impact on customers and potential business disruption.

As procedure, firms are required to notify their lead supervisor from OSFI as promptly as possible of cybersecurity incidents; however, there is a firm 72-hour deadline for reporting. Incidents must be reported in writing.

The initial incident report should contain details such as the date and time of the incident, assessment of whether the incident is material, whether any mitigation methods have been deployed, along with other information. Firms are expected to provide best estimates in cases where details may not be available at the time of initial reporting.

Following the initial report, firms are required to provide updates to OSFI as new information becomes available, until all of the material details of the incident have been provided to the regulator. Daily updates are suggested in the advisory letter as recommended practice.

OSFI further expects banks and insurers to provide detailed situation updates, including any remediation actions or plans, until the incident is contained or otherwise resolved.

Following resolution, firms are required to provide OSFI with a post-incident review and information on lessons learned.


Organizations in every industry are vulnerable to cyber threats. Cyber-attacks on large financial institutions, in particular, can have widespread and severe adverse effects. Large financial services firms are generally more interconnected than businesses in other sectors; as a result, the risk of contagion of cyber incidents tend to be high. Cyber-attacks that affect multiple financial institutions could also compromise financial stability.

Federally regulated financial institutions are advised to immediately review their cyber risk management practices, with a close eye on policies and procedures for incident response. The incident reporting requirements outlined in the advisory letter come into effect at the end of next month, leaving a small window for firms to review existing practices, identify areas in need or revision, revise policies and test those policies for effectiveness.

OSFI’s broader regulatory expectations for cybersecurity incident management can be found within the Cybersecurity Self-Assessment Guidance.

Most Canadian businesses, including financial institutions, should have cyber incident and breach reporting measures in place to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA was amended late last year to implement mandatory breach reporting.

However, financial institutions should note that the definition of reportable technology and cyber incidents from OSFI encompasses all types of cyber threats, not just those involving personal data. While the incident reporting requirements from OSFI require firms to report incidents that have been reported to the Privacy Commissioner, other cyber incidents that do not need to be reported under the PIPEDA may be reportable to OSFI.

It is highly recommended that firms have designated policies and procedures to comply with incident reporting requirements to OSFI, as opposed to just relying on existing PIPEDA compliance measures. Firms also need to ensure that they have specialists with the right technical skills, individually and collectively, to identify serious threats, report them and analyze post-incident information to determine remedial actions.

Firms should be mindful of the expectation for continuous reporting to OSFI on cyber incidents. In the advisory letter, OSFI indicated that it expected to be kept in the loop of the entire cycle of a cyber incident, from detection of the incident past the resolution phase. In practice, firms are advised to implement processes to ensure that a line of communication with OSFI is kept open. Furthermore, records should be kept of the information that is provided to the regulator.

On post incident reporting, OSFI has indicated that it expects firms to report on lessons learned from cyber incidents. Cybersecurity personnel should be prepared to explain the reasons behind any remedial actions that were taken as well as outline initiatives to mitigate similar incidents from occurring again.

*To read more by the Thomson Reuters Regulatory Intelligence team click here: bit.ly/TR-RegIntel

(Helen Chan is a regulatory intelligence expert for Thomson Reuters Regulatory Intelligence, based in Hong Kong. Email Helen at helen.chan@thomsonreuters.com)

This article was produced by Thomson Reuters Regulatory Intelligence - bit.ly/TR-RegIntel - and initially posted on Feb. 20. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters

0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below