It stands for Canada’s Office of the Superintendent of Financial Institutions. OSFI has recently published their guidance on incident reports related to technology and cyber security. This regulates many different financial institutions on a federal level. It requires a timely report to OSFI of any incidents involving technology or cybersecurity in general.
This advisory adds onto a publishing in 2013 on the guidance of Cyber Security Self-Assessment. The main goal of this new recent guidance is to help federally regulated financial institutions prevent future incidents that can arise from improper security measures.
Some Terms Under This Advisory
In general, it provides guidance to FRFIs on issues pertaining to cybersecurity and technological incidents that can occur. The advisory states that a “technology/cyber security incident” is one that has the potential to impact normal operations of any FRFI. This can include integrity of the information systems or confidentiality.
The advisory also requires FRFIs to report any incident that is considered a high level or critical level of severity.
Guidance Of This Advisory
OSFI has a list of characteristics for the incidents that should be reported to them. We’ll go over these, listed below.
•Incidents that affect critical information systems or data
•Any incident that has significant impact on customer data or company operation
•System disruptions or service disruptions that have significant impact
•The impact on the customers continues to grow
•Any incident that has a negative reputational impact
•Any incident reported to the Office of the Privacy Commissioner
•Any incident reported to foreign or local authorities
•Others listed in OSFI’s Cyber Security Self-Assessment Guidance
Some Examples Of Reportable Incidents
The advisory gives some examples of reportable incidents. These examples should help a FRFI decide the scale of negative influence of an incident. One example includes the takeover of accounts in which the customer accounts are unable to be compromised. If a data center has failure with technology, this is also reportable. An extortion message with threats of a cyber attack should be reported to OSFI as well. These are just a handful of examples.
Reporting: Time Restrictions
If a FRFI finds a reportable incident or technology, then a supervisor must be notified as soon as possible. It shouldn’t be reported any later that 72 hours after the incident is assessed. A report will need to be made that includes root causes, a time/date, number of people affected, and the actions that are currently being taken.
After this report is sent to OSFI, it is required that an update is sent on a daily basis. After an issue has been resolved, the FRFI must send a final report that details the lessons that have been learned from the incident. An overall review should be reported in the aftermath.
Control & Management Of Cyber Risk
FRFIs will face many long-term consequences of reportable incidents. This is why OSFI stresses the importance of following the guidance, reporting incidents, and doing follow-up reviews. Every FRFI must learn about the mandatory reporting of breaches. Prevention and learning from past mistakes both play a big role in control and management of cyber risk.