OSFI – Issued updated requirements for technology and cyber incident reporting, as well as new cyber self-assessment

August 13, 2021Reporting Requirements: The updated requirements govern how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI. FRFIs must report a technology or cyber security incident to OSFI’s Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Added new failure to report section providing that if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI. May also be placed on watch list, assigned stage in supervisory intervention approach. FRFIs should define priority, severity levels within incident management framework. The advisory provided list of characteristics that a reportable incident may have.

Cyber Self-Assessment: Examines a FRFI’s capability to respond to a cyber incident in a variety of areas such as the organization, it’s resources, how it manages threats, risks, incidents, and allows FRFIs to rate each element on a scale from non-existent to continuous improvement.

For more information, visit www.osfi-bsif.gc.ca.

Discover More Regulatory Insights

Visit the AxiomSL resource center for recent Regulatory Changes for financial institutions, InsideView Blog, and Thought Leadership.

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.