Technology and Cyber Security Incident Reporting

Document Properties

  • Type of Publication: Letter
  • Date: January 24, 2019
  • Reference: Advisory for Banks/FBB/BHC/T&L/CRA/Life/P&C/IHC

  • To: Federally Regulated Financial Institutions

Cyber security threats and incidents are increasing in sophistication, frequency and persistence. They have the potential to disrupt interconnected global financial systems and financial institutions.

The advisory Technology and Cyber Security Incident Reporting sets out OSFI’s expectations for federally regulated financial institutions (FRFIs) with respect to the reporting of technology and cyber security incidents affecting FRFI operations. The advisory describes characteristics of incidents that should be reported to OSFI, in addition to initial notification and subsequent reporting requirements. 

The advisory comes into effect on March 31, 2019.  In the meantime, FRFIs are expected to continue reporting any major incidents according to previous instructions communicated by their Lead Supervisors. Effective March 31, 2019, this Advisory supersedes any prior instructions for technology and cyber security incident reporting.

Questions concerning the Advisory may be directed to your Lead Supervisor.

Ben Gully
Assistant Superintendent
Risk Support Sector