Office of the Superintendent of Financial Institutions
The Technology and Cyber Security Incident Reporting Advisory supports a coordinated and integrated approach to OSFI's awareness of, and response to, technology and cyber security incidents at Federally Regulated Financial Institutions (FRFIs). This Advisory replaces the current Technology and Cyber Security Incident Reporting Advisory, which was published in January 2019 and came into effect in March 2019.
As members of a sector critical to the Canadian economy, FRFIs have a responsibility to address technology and cyber security incidents in a timely and effective manner. FRFIs are required to provide timely notification to OSFI when incidents relating to their operations occur. This requirement should be reflected in FRFIs' policies and procedures for dealing with technology and cyber security incidents.
Incident reporting can help identify areas where FRFIs or the industry at large can take steps to proactively prevent such incidents or improve their resiliency after an incident has occurred.
This Advisory applies to all FRFIs and describes OSFI's incident reporting requirements. It does not include guidance on OSFI's expectations for an incident management framework.
For the purpose of this Advisory, a technology or cyber security incident is defined as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.
FRFIs should define priority and severity levels within in their incident management framework. When in doubt about whether to report an incident, FRFIs should consult their Lead Supervisor.
A reportable incident may have
any one or more of the following characteristics:
Under the Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI
within 24 hours, or sooner if possible.
When reporting a technology or cyber security incident to OSFI, a FRFI must notify OSFI's Technology Risk Division (at
TRD@osfi-bsif.gc.ca) as well as their Lead Supervisor and
must do so in writing (ElectronicFootnote 1) as set out in the Incident Reporting and Resolution Form (see Appendix II). Where specific details are unavailable at the time of the initial report, the FRFI must indicate 'information not yet available.' In such cases, the FRFI must provide best estimates and all other details available at the time including their expectations of when additional information will be available.
OSFI expects FRFIs to provide regular updates (e.g., daily) as new information becomes available, and until all details about the incident have been provided.
Depending on the severity, impact and velocity of the incident, OSFI may request that a FRFI change the method and frequency of subsequent updates.
Until the incident is contained/resolved, OSFI expects FRFIs to provide situation updates, including any short term and long-term remediation actions and plans.
Following incident containment, recovery and closure, the FRFI should report to OSFI on its post-incident review and lessons learned.
Failure to report incidents as outlined above may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.
The following table provides some examples of the types of reportable incidents but should not be considered an exhaustive list.
Account takeover botnet campaign is targeting online services using new techniques, current defenses are failing to prevent customer account compromise
High volume and velocity of attempts
Current controls are failing to block attack
Customers are locked out
Indication that customer account(s) or information has been compromised
Technology failure at data center
Critical online service is down and alternate recovery option failed
Extended disruption to critical business systems and operations
A material third party is breached, FRFI is notified that third party is investigating
Third party is designated as material to the FRFI
Impact to FRFI data is possible
FRFI has received an extortion message threatening to perpetrate a cyber attack (e.g., DDoS for Bitcoin)
Threat is credible
Probability of critical online service disruption
FRFIs are required to report incidents to the Technology Risk Division at
TRD@osfi-bsif.gc.ca as well as their Lead Supervisor using the template below.
A screenshot of the OSFI Technology and Cyber Incident Report. Please refer to the
If electronic means of notification are not available, notification by telephone followed by a paper submission is acceptable.
Return to footnote 1