Overview

The Office of the Superintendent of Financial Institutions (OSFI) released updated requirements governing how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI.

The updated Technology and Cyber Security Incident Reporting Advisory supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs). Under the updated Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Other changes in the Advisory include a new "failure to report" section: if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI, placed on a watch list or assigned one of the stages in OSFI's supervisory intervention approach, among other measures.

Separately, OSFI also released an updated Cyber Security Self-Assessment that helps FRFIs gauge and improve their current state of readiness in the face of emerging and expanding cyber threats.

Review the press release and updated requirements on the OSFI's website.

Recent developments

Amendments under consideration

• None