OSFI issues updated requirements for technology and cyber incident reporting

News Release

For Immediate Release

OTTAWA ─ August 13, 2021 ─ Office of the Superintendent of Financial Institutions

Today, the Office of the Superintendent of Financial Institutions (OSFI) released updated requirements governing how federally regulated financial institutions (FRFIs) should disclose and report technology and cyber security incidents to OSFI.

The updated Technology and Cyber Security Incident Reporting Advisory (the "Advisory") supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs.

Under the updated Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Other changes in the Advisory include a new "failure to report" section: if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI, placed on a watch list or assigned one of the stages in OSFI's supervisory intervention approach, among other measures.

Separately, OSFI also released an updated Cyber Security Self-Assessment ("Self-Assessment") that helps FRFIs gauge and improve their current state of readiness in the face of emerging and expanding cyber threats. The Self-Assessment examines a FRFI's capability to respond to a cyber incident in areas ranging from organization and resources, to how it manages threats, risks and incidents, and allows FRFIs to rate each element on a scale from non-existent to continuous improvement.

For more information, please see the Advisory and the Self-Assessment.


"Technology and cyber security incidents such as ransomware and data breaches are on the rise. Canada's financial institutions are vital to our economy - this new Advisory and Self-Assessment from OSFI will help protect their businesses as well as the stability of the financial sector."

Peter Routledge, Superintendent of Financial Institutions

Quick facts

  • This updated Advisory replaces OSFI's initial Technology and Cyber Security Incident Reporting Advisory, which was published in January 2019 and came into effect in March 2019.
  • Technology and cyber incidents may include cyber attacks, extortion threats, third-party outages and data breaches and more.
  • OSFI's latest Cyber Security Self-Assessment is available on line and replaces the initial Cyber Security Self-Assessment which was published in October 2013 to help FRFIs assess their current level of cyber security preparedness and to develop and maintain effective cyber security practices.

Associated Links


The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada, established in 1987, to protect depositors, policyholders, financial institution creditors and pension plan members, while allowing financial institutions to compete and take reasonable risks. OSFI supervises more than 400 federally regulated financial institutions and 1,200 pension plans to determine whether they are in sound financial condition and meeting their prudential requirements.

Media Contact

OSFI – Public Affairs