On January 10, 2022, the BC Financial Services Authority (the BCFSA) published the Discussion Paper: Information Security Reporting (the Discussion Paper) that proposes new Information Security (IS) reporting rules (the Proposed Rules) under the Financial Institutions Act (British Columbia) (the FIA). The objective of the Proposed Rules is to implement stronger measures to ensure that certain IS Incidents (defined below) are reported to the BCFSA in a timely and accurate manner.
The Proposed Rules follow the BCFSA’s release of its IS Guideline for financial institutions on October 1, 2021.
The BCFSA is seeking feedback on the Proposed Rules and their associated policy issues set out in the Discussion Paper. These items are summarized in greater detail below.
Summary of the Proposed Rules
1. Who do the Proposed Rules apply to?
The Proposed Rules would apply to all credit unions, insurers and trust companies authorized to carry on business in British Columbia (BC), including extra-provincial companies with customers in BC (Financial Institutions). For extra-provincial Financial Institutions, the BCFSA would rely on the primary regulator of that Financial Institution’s province or territory – or the Office of the Superintendent of Financial Institutions (OSFI), in the case of Federally Regulated Financial Institutions (FRFIs) – to determine the financial implications of an IS Incident on the applicable Financial Institution. In addition, under the Proposed Rules, material IS Incidents reported to a Financial Institution by an outsourcing service provider would need to be reported to the BCFSA.
Further, the Proposed Rules would require Financial Institutions to notify the BCFSA within specified timelines of a reportable IS Incident that could:
- Impair the operations of an individual Financial Institution;
- Disclose confidential customer or corporate information;
- Result in customers being unable to access their deposits and other accounts; or
- Impact the stability of the financial services sector.
2. When would an IS Incident need to be reported to the BCFSA?
The BCFSA states that its focus is on the reporting by Financial Institutions of material IS Incidents with consideration for scope, impact and significance. The Discussion Paper defines a reportable IS Incident as “one that has caused or has the potential to cause material harm to consumers, or financial or reputational damage to Financial Institutions or the financial services sector” (a Reportable Incident).
For the purposes of the Proposed Rules, an IS Incident would include: (i) unauthorized, illegal, or accidental use, disclosure, access to, modifications, or destruction of personal information, business information, or data; and/or (ii) impairment of network systems.
The Discussion Paper notes that Reportable Incidents include –but are not limited to – IS Incidents that have already or may adversely affect:
- The operations of critical information systems or data;
- A Financial Institution’s operational or customer data, including confidentiality, integrity, or availability of such data;
- Internal users that are material to customers or business operations;
- Systems or services impacting customers or business operations;
- A Financial Institution’s public reputation (for example, via public or media disclosure);
- Critical deadlines/obligations in financial market settlement or payment systems (for example, financial market infrastructure);
- A third-party deemed material by the Financial Institution; and
- Other Financial Institutions or the BC financial services sector.
Additionally, the BCFSA notes that an IS Incident may become a Reportable Incident if it was:
- Reported, or is reasonably expected to be reported, to the media or to the Financial Institution’s members, users, customers, or participating organizations;
- Escalated to internal or external legal counsel, senior management, or Board of Directors;
- Reported to law enforcement agencies or other regulatory authorities (including the Office of the Privacy Commissioner); or
- Reported to a cyber-insurance company.
3. What is required to be provided in an Incident Report?
Financial Institutions would be required to report a Reportable Incident to the BCFSA in writing (an Incident Report) no later than 24 hours after the Reportable Incident is identified. The Discussion Paper proposes the following two classes of Financial Institutions for the purposes of filing Incident Reports: (i) BC incorporated financial institutions that are primarily regulated by the BCFSA (a BC FI), and (ii) extra-provincially incorporated Financial Institutions that are primarily regulated by regulators other than the BCFSA (an “EP FI).
The Incident Report requirements for BC FIs and EP FIs would include the information set out in the below chart.
In addition, Financial Institutions that provide an Incident Report would be required to provide updates at intervals determined by the BCFSA as new information becomes available, including any short-term and long-term remediation actions and plans. These updates would be required until the IS Incident is resolved. Once the IS Incident has been resolved, the Financial Institution would need to file a post-incident review with the BCFSA that includes lessons it learned from the IS Incident.
4. What are the consequences of non-compliance with the Proposed Rules?
The BCFSA notes that failure to comply with the Proposed Rules would be a contravention of the FIA and may subject the non-compliant Financial Institution to regulatory action by the BCFSA. This includes, but is not limited to, an administrative penalty of up to CA$50,000 for a corporation, or CA$25,000 for an individual.
Conclusion and next steps
In addition to any general comments from the information discussed above, the BCFSA is seeking feedback from industry stakeholders on the following specific questions:
- Are you comfortable with the BCFSA sharing information on patterns or trends it detects through an analysis of IS Incident reports, in an anonymized fashion? How can the BCFSA best share this information with Financial Institutions?
- Is the definition of what constitutes a material incident clear? If not, why?
- Do the identified triggers provide sufficient guidance on when reporting is required?
- Based on the above definition and triggers, how many IS reports would you estimate that you might complete on an annual basis?
- Are these reporting timelines reasonable? Which elements would be difficult for a Financial Institution to respond to within the timelines and why?
- Is the content of the incident report and subsequent report clear and reasonable?
- Are there any other considerations you want to share with us that we have not addressed in the document?
Industry stakeholders should submit any feedback on the Discussion Paper and Proposed Rules to the BCFSA by February 25, 2022 at policy@bcfsa.ca. We would be pleased to assist with any submissions. Reach out to Laurie LaPalme, Marisa Coggin, Jesse Collins-Swartz or any member of Dentons Canada’s Insurance group for assistance.