This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice (http://www2.deloitte.com/ca/en/legal/cookies.html) for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

OSFI – Updated Advisory re Technology and Cyber Security Incident Reporting

Effective date:

August  13, 2021

Last up­dated:

August 2021

Overview

The Office of the Superintendent of Financial Institutions (OSFI) released updated requirements governing how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI.

The updated Technology and Cyber Security Incident Reporting Advisory supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs). Under the updated Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Other changes in the Advisory include a new "failure to report" section: if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI, placed on a watch list or assigned one of the stages in OSFI's supervisory intervention approach, among other measures.

Separately, OSFI also released an updated Cyber Security Self-Assessment that helps FRFIs gauge and improve their current state of readiness in the face of emerging and expanding cyber threats.

Review the press release and updated requirements on the OSFI's website.

Recent developments

Date

Development

Comments

August 13, 2021

The OSFI released updated requirements governing how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI

For further details refer to the OSFI press release.

Amendments under consideration

  • None

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.