The Lexpert Special Editions profiles selected Lexpert-ranked lawyers whose focus is in Corporate, Infrastructure, Energy and Litigation law and relevant practices. It also includes feature articles on legal aspects of Canadian business issues.
Issue link: https://digital.carswellmedia.com/i/1470136
www.lexpert.ca 5 report incidents they assessed at "a high or crit- ical severity level." Under the updated advisory, FRFIs must report any technology or cyber security incident to OSFI with a reporting mandate of "within 24 hours, or sooner if possible." at contrasts with the prior advi- sory to report an incident "as promptly as possible, but no later than 72 hours" aer determining an incident is reportable. e new advisory requires incident reporting even before the FRFI is aware of the incident or has had an opportunity to confirm or classify its severity level. It also contains a new potential sanction for FRFIs that don't report incidents as expected. e advisory states: "Failure to report incidents ... may result in increased supervisory oversight including but not limited to enhanced monitoring activ- ities, watch-listing or staging of the FRFI." Nathan Schiessel, a partner in the tech- nology practice at MLT Aikins in Regina, says what makes these new rules different is the obligation to report on incidents that "include the integrity or availability" of the systems, not just on those related to cyber security and personal information. "I think the new rules come from OSFI wanting to understand issues that are poten- tially impacting the industry and taking steps to proactively prevent those kinds of incidents and improve the resiliency of those systems," Schiessel says. "At the end of the day, these financial institutions are providing services for customers and clients that are pretty crit- ical – like payment systems – and they want to make sure the systems behind these services are robust." "AS A RESPONSIBLE ORGANIZATION PURCHASING THESE SERVICES, YOU NEED TO KNOW WHAT YOUR NEEDS ARE AND NEGOTIATE THE CONTRACT ACCORDINGLY" Imran Ahmad NORTON ROSE FULBRIGHT Joel Ramsey at Torys LLP agrees, saying, "I think it's the regulator OSFI looking at just how reliant the industry is on technology provided by third parties – and [concluding] that reportable incidents can't just be about cyber breaches." ey must also cover "major outages, or system problems that impact customers – things that affect the stability and integrity of our financial institutions." A good example, Ramsey says, is debit, credit, and other electronic payments systems going down, and their impact on financial institutions and their customers. "Most people don't have a lot of cash in their pockets these days, and it can really have an impact, even though it may not necessarily be a cyber- security or privacy breach." Almost all federally regulated financial institutions in Canada rely on third parties to provide them with outsourcing, so- ware as a service (SAAS), payment processing, and cloud storage services. However, for soware and service contracts, the FRFI that purchases these third-party systems is expected to contract for services commensurate with meeting the "reason- able" standards of OSFI and any other regulator. So contracts with these vendors may need to be updated to meet these new requirements. Tremblay agrees, adding that vendors of such services want to make sure that they meet high industry standards and provide what their customers need, including regulatory compliance. At the same time, the new service levels required by regulations may require a different level of service and pricing reflected within the contract. He adds, "So you want to encourage an efficient negotiating process," reflecting required service levels and costs. e new, tighter time element in the OSFI rules – the 24 hours for reporting an incident – might mean the parties must negotiate new terms. is change could lead to additional costs for suppliers to meet those service stan- dards, which they may have to pass on to the • have potential consequences for other FRFIs or the Canadian financial system; • could have an impact on FRFI systems relating to financial market settlements, confirmations, or payments, or affect payment services; • affect FRFI operations, infrastructure, data, or systems related but not limited to confidentiality, integrity, or availability of customer information; • disrupt business systems or operations related to utility or data centre outages or loss or degradation of connectivity; • have an operational impact on critical systems, infrastructure, or data; • activate disaster recovery teams or plans, or if a disaster declaration has been made by a third-party vendor that affects the FRFI; • have an impact on internal users and could affect external customers or business operations; • cause a negative reputational impact (public or media disclosure). Institutions must report incidents if they: financial institution purchaser. Says Schiessel: "at increased level of transparency might come with some addi- tional costs for the service provider, and from the service provider's perspective, they may need to build that cost into their service, particularly when it comes to regulated compliance mandates." Ramsey thinks that one way to negotiate these contracts is to determine what levels of service and response parties need for distinct OSFI ADVISORY FOR FEDERALLY REGULATED FINANCIAL INSTITUTIONS