The Office of the Superintendent of Financial Institutions (OSFI) has implemented regulatory reporting requirements on technology and cybersecurity incidents for insurers.
OSFI’s Advisory on Technology and Cybersecurity Incident Reporting mandates that federally regulated financial institutions (FRFI) – which include insurance (life and P&C), federally incorporated trust and loan companies, as well as banks – must report “high or critical severity” technology or cybersecurity incidents to the OSFI.
The advisory defines technology or cyber-incidents as those that “materially impact the normal operations of an FRFI,” which include the confidentiality, integrity or availability of an FRFI’s systems and information.
Canadian Lawyer reported that the advisory will take effect March 31.
The new rules complement the mandatory data breach and breach-of-security-safeguards reporting requirements under the federal Personal Information Protection and Electronic Documents Act.
OSFI has also outlined reporting criteria in its advisory, noting that FRFIs should define incident materiality in their incident management framework.
A reportable incident may have any of the following characteristics, as listed by OSFI:
- Material impact to FRFI operational or customer data (including confidentiality, integrity or availability of such data).
- Significant operational impact to internal users that is material to customers or business operations.
- Significant levels of system or service disruptions; extended disruptions to critical business systems or operations.
- The number of external customers impacted is significant or growing.
- Negative reputational impact is imminent (public or media disclosure); a material impact to critical deadlines or obligations in financial market settlement or payment systems (financial market infrastructure).
- Significant impact to a third party deemed material to the FRFI.
- Material consequences to other FRFIs or the Canadian financial system.
- FRFI incident has been reported to the Office of the Privacy Commissioner or either local or foreign regulatory authorities.