On January 15, 2025, the Office of the Superintendent of Financial Institutions (OSFI) published a new Technology and Cyber Incident Reporting Form (the New Incident Reporting Form). The New Incident Reporting Form will come into effect on April 1, 2025. Until then, federally regulated financial institutions (FRFIs) must use the existing incident reporting form to report cyber security incidents to OSFI.
In 2021, OSFI issued an updated Technology and Cyber Security Incident Reporting Advisory (the Advisory) that governs the requirements for FRFIs to report technology and cyber security incidents to OSFI (as previously reported by the E-TIPS® Newsletter here). The Advisory mandates strict reporting requirements on FRFIs, one being the requirement for FRFIs to report to OSFI any technology or cyber security incident within 24 hours, or sooner if possible, using an incident reporting form. The Advisory outlines a list of characteristics of reportable incidents, such as incidents that cause disruptions to business systems or operations, or have operational impacts on key/critical systems, infrastructure or data.
Similar to the existing incident reporting form, the New Incident Reporting Form requires FRFIs to report certain information such as: site location and lines of business affected; certain incident details such as incident type and severity; threat-actor tactics, techniques and procedures; indicators of compromise; and internal / external notifications.
Unlike the existing reporting form, the New Incident Reporting Form includes specific questions relating to: the status of the incident (i.e., whether it is active or resolved); activation of disaster recovery plans; impact scope with respect to service delivery, loss of sensitive information, and levels of media or public sentiment; estimated recovery timeframe; and overall estimated financial impact.
The New Incident Reporting Form can be found here and the detailed instructions for filling out the form can be found here.
Summary By: Victoria Di Felice
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
