The Office of the Superintendent of Financial Institutions (OSFI) has issued a new advisory that sets out obligations for banks and insurers to report technology and cybersecurity incidents, the federal regulator announced Thursday.
“Cybersecurity threats and incidents are increasing in sophistication, frequency and persistence. They have the potential to disrupt interconnected global financial systems and financial institutions,” OSFI states in a letter to federally regulated financial institutions.
The advisory describes characteristics of incidents that should be reported to OSFI, in addition to initial notification and subsequent reporting requirements.
Specifically, firms must notify OSFI no later than 72 hours after an incident. Additionally, they must meet ongoing reporting obligations for incidents that “materially impact” normal operations “including confidentiality, integrity or availability of its systems and information,” the advisory states.
Regulatory reporting of security incidents can help both individual firms and the industry at large identify measures that they can take to prevent similar incidents, OSFI says, and improve their resiliency when breaches do occur.
Effective March 31, the advisory supersedes any prior instructions for technology and cybersecurity incident reporting, OSFI says.