Canada: Amended technology and cyber security incident reporting advisory including data governance

On 13 August 2021, the Office of the Superintendent of Financial Institutions ('OSFI') amended the Technology and Cyber Security Incident Reporting Advisory, which was originally adopted in January 2019 and came into effect in March 2019. The Advisory applies to all Federally Regulated Financial Institutions ('FRFIs') and describes OSFI's incident reporting requirements. With this Advisory the OSFI aims to have the technology or cyber security incidents reported, which have an impact, or the potential to have an impact on the operations of an FRFI, including its confidentiality, integrity or the availability of its systems and information. The criteria for reporting are also further explained in the Advisory. Moreover, the Advisory sets out that FRFIs must report a technology or cyber security incident to OSFI within at least 24 hours. Last but not least, failures to report incidents may result in increased supervisory oversight and enhanced monitoring activities.