Financial institutions must quickly report cyberattacks to regulators or face tougher oversight, under new guidance from the Office of the Superintendent of Financial Institutions (OSFI).
The federal financial regulator issued an updated advisory on cybersecurity incident reporting, which requires that financial firms report incidents — such as extortion threats, cyber breaches and technology failures — to OSFI within 24 hours.
In addition, firms that fail to report an incident face the prospect of increased regulatory oversight, supervisory intervention and other measures.
OSFI said that the new guidance “supports a coordinated and integrated response to technology and cyber security incidents when they occur at [financial institutions].”
At the same time, the regulator released a new self-assessment tool for firms to help them “gauge and improve their current state of readiness in the face of emerging and expanding cyber threats.”
“Technology and cyber security incidents such as ransomware and data breaches are on the rise,” noted Peter Routledge, superintendent of financial institutions, in a release.
“Canada’s financial institutions are vital to our economy — this new advisory and self-assessment from OSFI will help protect their businesses as well as the stability of the financial sector,” he added.