British Columbia Financial Services Authority (BCSFA) wants to impose mandatory reporting requirements on financial institutions that experience information security incidents, by establishing a new rule under the Financial Institutions Act. The proposed new rule would apply to all credit unions, insurance companies and trust companies authorized to do business in British Columbia, including extra-provincial companies with customers in British Columbia. Though the rule would not apply to pension plan administrators, they remain subject to existing incident reporting expectations as outlined in BCFSA’s current Information Security Guideline.
According to a Discussion Paper issued by BCSFA on January 17, 2022, the proposed rule would require financial institutions to report material information security incidents to BCFSA in writing as soon as possible and no later than 24 hours after the incident is identified. The financial institution would also be required to provide updates at intervals determined by BCFSA, and a full incident report once the incident is resolved.
The Discussion Paper contemplates that the contents of the mandatory reports may vary depending on the class of financial institution, with British Columbia incorporated financial institutions being required to provide a more detailed report than extra-provincially incorporated financial institutions where BCFSA is not the primary regulator. The Discussion Paper also notes that for extra-provincially incorporated financial institutions, BCFSA will rely on the institution’s primary regulator to determine any financial implications of an information security incident.
The Discussion Paper defines an information security incident broadly to include any unauthorized, illegal, or accidental access, use, disclose, modification or destruction of personal information, business information or data or the impairment of network systems. An information security incident would be considered material if it has caused or has the potential to cause material harm to consumers, or financial or reputational damage to financial institutions or the financial services sector.
The Discussion Paper also states that the mandatory reporting requirement may also be triggered if an information security incident is:
reported or reasonably expected to be reported to the financial institution’s members, users, customers, or participating organizations or the media;
escalated to internal or external legal counsel, senior management, or board of directors;
reported to the Office of the Privacy Commissioner, law enforcement agencies, other regulatory authorities; or
reported to a cyber-insurance company.
Failure to comply with the rule would be a contravention of the Financial Institutions Act, which could lead to regulatory action, including administrative penalties of up to C$50,000 for a corporation and C$25,000 for an individual.
BCFSA is seeking feedback on its proposed rule and surrounding policy issues from stakeholders, including financial institutions, until February 25, 2022.