BCFSA Considers Reporting Requirements for Technology and Cybersecurity Incidents

Blake, Cassels & Graydon LLP

British Columbia Financial Services Authority (BCSFA) wants to impose mandatory reporting requirements on financial institutions that experience information security incidents, by establishing a new rule under the Financial Institutions Act. The proposed new rule would apply to all credit unions, insurance companies and trust companies authorized to do business in British Columbia, including extra-provincial companies with customers in British Columbia. Though the rule would not apply to pension plan administrators, they remain subject to existing incident reporting expectations as outlined in BCFSA’s current Information Security Guideline.

According to a Discussion Paper issued by BCSFA on January 17, 2022, the proposed rule would require financial institutions to report material information security incidents to BCFSA in writing as soon as possible and no later than 24 hours after the incident is identified. The financial institution would also be required to provide updates at intervals determined by BCFSA, and a full incident report once the incident is resolved.

The Discussion Paper contemplates that the contents of the mandatory reports may vary depending on the class of financial institution, with British Columbia incorporated financial institutions being required to provide a more detailed report than extra-provincially incorporated financial institutions where BCFSA is not the primary regulator. The Discussion Paper also notes that for extra-provincially incorporated financial institutions, BCFSA will rely on the institution’s primary regulator to determine any financial implications of an information security incident.

The Discussion Paper defines an information security incident broadly to include any unauthorized, illegal, or accidental access, use, disclose, modification or destruction of personal information, business information or data or the impairment of network systems. An information security incident would be considered material if it has caused or has the potential to cause material harm to consumers, or financial or reputational damage to financial institutions or the financial services sector.

The Discussion Paper also states that the mandatory reporting requirement may also be triggered if an information security incident is:

  • reported or reasonably expected to be reported to the financial institution’s members, users, customers, or participating organizations or the media;

  • escalated to internal or external legal counsel, senior management, or board of directors;

  • reported to the Office of the Privacy Commissioner, law enforcement agencies, other regulatory authorities; or

  • reported to a cyber-insurance company.

Failure to comply with the rule would be a contravention of the Financial Institutions Act, which could lead to regulatory action, including administrative penalties of up to C$50,000 for a corporation and C$25,000 for an individual.

BCFSA is seeking feedback on its proposed rule and surrounding policy issues from stakeholders, including financial institutions, until February 25, 2022.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blake, Cassels & Graydon LLP | Attorney Advertising

Written by:

Blake, Cassels & Graydon LLP

Blake, Cassels & Graydon LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.