The Office of the Superintendent of Financial Institutions, a Canadian banking regulator, recently published an advisory regarding cyber security incident reporting, specifically, the imminent implementation of new rules around how and when technology and cyber security incidents must be reported. The requirements apply to all federally regulated financial institutions (FRFIs) in Canada, and will take effect on March 31.
What Types of Incidents Must Be Reported to OSFI?
The OSFI advisory defines a technology or cyber security incident as having the potential to “materially impact the normal operations of an FRFI, including confidentiality, integrity or availability of its systems and information.” The advisory cites four potential categories of reportable incidents: cyber attack, service availability and recovery (e.g. technology failure at a data center), third-party breach, and extortion threat.
The advisory also provides a list of characteristics that a material incident may have, which includes:
- Extended disruptions to critical business systems/operations
- Negative reputational impact is imminent
- Significant operational impact to internal users that is material to customers or business operations
- Significant operational impact to key/critical information systems or data
- Number of external customers impacted is significant or growing
What are Financial Institutions Required to Do for OSFI Compliance?
Similar to the strict reporting requirements implemented in the EU last year through GDPR, the OSFI cyber incident reporting advisory requires FRFIs to promptly address incidents, including notifying OSFI no later than 72 hours after determining that the incident is material. The written notification must include available details and best estimates, including an incident description, dates and times, incident type, incident severity, status of the incident, and the known or suspected root cause.
There are ongoing obligations beyond the initial notification as well. The FRFI must provide regular updates until all material details have been filled in, and the Lead Supervisor from OSFI can change the frequency of the updates based on the severity of the incident. Once the incident is resolved, the FRFI is required to provide a report that includes a review of the incident and lessons learned.
How Can D3 Help with OSFI Incident Reporting?
As organizations learned after the introduction of GDPR, 72 hours is not enough time to develop ad hoc procedures for collecting data and creating a satisfactory picture of the incident for regulators. Using D3’s security orchestration, automation, and response (SOAR) platform for incident response and case management eases this process in numerous ways.
D3 helps to minimize the occurrence of major incidents by streamlining detection, using threat intelligence and real-time correlations to identify genuine threats, and supporting root cause analysis to remediate vulnerabilities. The ability to quickly detect and assess incidents also gives organizations a head start toward recognizing and reporting incidents that meet the criteria of the OFSI cyber security incident advisory.
Unlike other SOAR platforms, D3 is designed to support comprehensive investigations and compliance reporting. Complete audit logs, detailed metrics, and configurable reports make it easy to demonstrate incident details and security actions to OSFI. Users can even schedule automated reports to match the frequency of updates that OSFI requests. D3’s case management features, like incident timelines, visual link analysis, and fields to share notes between investigators are useful tools for piecing together a clear incident description for OSFI.