13 Aug OSFI – Issued updated requirements for technology and cyber incident reporting, as well as new cyber self-assessment
August 13, 2021 – Reporting Requirements: The updated requirements govern how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI. FRFIs must report a technology or cyber security incident to OSFI’s Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Added new failure to report section providing that if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI. May also be placed on watch list, assigned stage in supervisory intervention approach. FRFIs should define priority, severity levels within incident management framework. The advisory provided list of characteristics that a reportable incident may have.
Cyber Self-Assessment: Examines a FRFI’s capability to respond to a cyber incident in a variety of areas such as the organization, it’s resources, how it manages threats, risks, incidents, and allows FRFIs to rate each element on a scale from non-existent to continuous improvement.
For more information, visit www.osfi-bsif.gc.ca.
Discover More Regulatory Insights
Visit the AxiomSL resource center for recent Regulatory Changes for financial institutions, InsideView Blog, and Thought Leadership.