BCFSA launches public consultation process on information security incident reporting rules for financial institutions – Assurance
On January 10, 2022, the BC Financial Services Authority (the
BCFSA) published the Working Paper: Information Security Reports (the Work document) which proposes a new information security (EAST) reporting rules (the Propose Rules) under the Financial Institutions Act (British Columbia) (the
FIA). The purpose of the proposed rules is to implement stricter measures to ensure that certain IS incidents (defined below) are reported to the BCFSA in a timely and accurate manner.
The proposed rules follow the publication by the BCFSA of its IS Directive for financial institutions on October 1, 2021.
The BCFSA invites comments on the proposed rules and related policy issues set out in the discussion paper. These elements are summarized in more detail below.
Summary of Proposed Rules
1. To whom do the proposed rules apply?
The proposed rules would apply to all credit unions, insurers and trust companies licensed to do business in British Columbia (Before Christ), including extra-provincial companies with customers in British Columbia (Financial institutions). For extra-provincial financial institutions, the BCFSA would rely on the primary regulator of that financial institution’s province or territory – or the Office of the Superintendent of Financial Institutions (OSFI), in the case of federally regulated financial institutions ( IFF) – to determine the financial implications of an IS Incident on the Financial Institution concerned. In addition, under the proposed rules, material IS incidents reported to a financial institution by an outsourced service provider would be required to be reported to the BCFSA.
In addition, the proposed rules would require financial institutions to notify the BCFSA within specified time frames of a reportable IS incident that could:
- interfere with the operations of an individual financial institution;
- Disclose confidential customer or company information;
- cause customers to be unable to access their deposits and other accounts; Where
- Impact on the stability of the financial services sector.
2. When should an IS incident be reported to the BCFSA?
The BCFSA states that it focuses on reporting by financial institutions of significant IS-related incidents taking into account scope, impact and materiality. The working document defines a reportable IS incident as “that has caused or is likely to cause material harm to consumers, or financial or reputational harm to financial institutions or the financial services industry“ (a Reportable incident).
For the purposes of the Proposed Rules, an IS Incident would include: (i) the unauthorized, unlawful or accidental use, disclosure, access, modification or destruction of personal information, business information or data; and/or (ii) degradation of network systems.
The working paper notes that reportable incidents include – but are not limited to – IS incidents that have already or could adversely affect:
- Operations of information systems or critical data;
- Operational or customer data of a financial institution, including the confidentiality, integrity or availability of such data;
- Internal users who are important to customers or business operations;
- Systems or services that impact customers or business operations;
- The public reputation of a financial institution (for example, through public or media disclosure);
- Critical delays/obligations in financial market settlement or payment systems (e.g. financial market infrastructure);
- A third party deemed material by the Financial Institution; and
- Other British Columbia financial institutions or financial services sector.
Additionally, the BCFSA notes that an IS incident can become a reportable incident if it was:
- Reported, or likely to be reported, to the media or to members, users, customers or participating organizations of the Financial Institution;
- Referred to internal or external legal counsel, senior management or board of directors;
- Reported to law enforcement agencies or other regulatory authorities (including the Office of the Privacy Commissioner); Where
- Reported to a cyber insurance company.
3. What should be provided in an incident report?
Financial institutions would be required to report a reportable incident to the BCFSA in writing (a Incident report) no later than 24 hours after the Incident to be reported has been identified. The Discussion Paper proposes the following two categories of financial institutions for the purpose of filing incident reports: (i) financial institutions incorporated in British Columbia that are primarily regulated by the BCFSA (a BC FI), and (ii) extra-provincially incorporated financial institutions that are primarily regulated by regulators other than the BCFSA (a “PE FI).
Incident reporting requirements for BC FIs and EP FIs would include the information listed in the table below.
In addition, financial institutions that provide an incident report would be required to provide updates at intervals determined by the BCFSA as new information becomes available, including short-term remediation measures and plans. and long term. These updates would be required until the SI incident is resolved. Once the IS Incident has been resolved, the Financial Institution shall file with the BCFSA a post-incident review including the lessons it has learned from the IS Incident.
4. What are the consequences of non-compliance with the proposed rules?
The BCFSA notes that failure to comply with the proposed rules would constitute a breach of the FIA and could subject the non-compliant financial institution to regulatory action by the BCFSA. This includes, but is not limited to, an administrative penalty of up to CA$50,000 for a corporation or CA$25,000 for an individual.
Conclusion and next steps
In addition to general comments on the information discussed above, the BCFSA invites comments from industry stakeholders on the following specific issues:
- Are you comfortable with the BCFSA sharing information about patterns or trends it detects through an analysis of IS incident reports, anonymously? How can the BCFSA best share this information with financial institutions?
- Is the definition of what constitutes a significant incident clear? If not why ?
- Do the identified triggers provide sufficient guidance on when reporting is required?
- Based on the definition and triggers above, how many IS reports would you estimate you could complete on a yearly basis?
- Are these reporting deadlines reasonable? What elements would be difficult for a financial institution to respond to in time and why?
- Is the content of the incident report and subsequent report clear and reasonable?
- Are there any other considerations you want to share with us that we haven’t covered in the document?
Dentons is the world’s leading polycentric global law firm. Ranked among the top 20 companies in the Acritas 2015 Global Elite Brand Index, the company is committed to challenging the status quo by delivering consistent, uncompromising quality and value in new and inventive ways. Committed to providing its customers with a competitive advantage and connected to the communities where its customers want to do business, Dentons knows that understanding local cultures is essential to successfully completing a transaction, resolving a dispute or resolving a business challenge. Now the largest law firm in the world, Dentons’ global team builds agile, bespoke solutions to meet the local, national and global needs of private and public clients of all sizes across more than 125 locations serving over from 50 countries. www.dentons.com
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation. Specific questions relating to this article should be addressed directly to the author.