Brief

On April 1, 2025, a new incident reporting form will be effective. The old form should be used until then. This update supports OSFI's awareness and response to technology and cyber security incidents at Federally Regulated Financial Institutions (FRFIs). FRFIs are required to report incidents with potential consequences for other institutions or the Canadian financial system, impacting financial market settlement, or disrupting business systems.

The new incident reporting form will be effective on April 1, 2025. Please continue using the old incident reporting form until then.

Purpose
The Technology and Cyber Security Incident Reporting Advisory supports a coordinated and integrated approach to OSFI's awareness of, and response to, technology and cyber security incidents at Federally Regulated Financial Institutions (FRFIs). This Advisory replaces the current Technology and Cyber Security Incident Reporting Advisory, which was published in January 2019 and came into effect in March 2019.
As members of a sector critical to the Canadian economy, FRFIs have a responsibility to address technology and cyber security incidents in a timely and effective manner. FRFIs are required to provide timely notification to OSFI when incidents relating to their operations occur. This requirement should be reflected in FRFIs' policies and procedures for dealing with technology and cyber security incidents.
Incident reporting can help identify areas where FRFIs or the industry at large can take steps to proactively prevent such incidents or improve their resiliency after an incident has occurred.
Scope and definition
This Advisory applies to all FRFIs and describes OSFI's incident reporting requirements. It does not include guidance on OSFI's expectations for an incident management framework.
For the purpose of this Advisory, a technology or cyber security incident is defined as an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.
Criteria for reporting
FRFIs should define priority and severity levels within in their incident management framework. When in doubt about whether to report an incident, FRFIs should consult their Lead Supervisor.
A reportable incident may have any one or more of the following characteristics:

Impact has potential consequences to other FRFIs or the Canadian financial system;
Impact to FRFI systems affecting financial market settlement, confirmations or payments (e.g., Financial Market Infrastructure), or impact to payment services;
Impact to FRFI operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information;
Disruptions to business systems and/or operations, including but not limited to utility or data centre outages or loss or degradation of connectivity;
Operational impact to key/critical systems, infrastructure or data;
Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI;
Operational impact to internal users, and that poses an impact to external customers or business operations;
Number of external customers impacted is growing; negative reputational impact is imminent (e.g., public and/or media disclosure);
Impact to a third party affecting the FRFI;
A FRFI's technology or cyber incident management team or protocols have been activated;
An incident that has been reported to the Board of Directors or Senior/Executive Management;
A FRFI incident has been reported to:

the Office of the Privacy Commissioner;
another federal government department (e.g., the Canadian Center for Cyber Security);
other local or foreign supervisory or regulatory organizations or agencies;
any law enforcement agencies;
has invoked internal or external counsel

A FRFI incident for which a Cyber insurance claim has been initiated;
An incident assessed by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI's internal assessment; or
Technology or cyber security incidents that breach internal risk appetite or thresholds.
For incidents that do not align with or contain the specific criteria listed above, or when a FRFI is uncertain, notification to OSFI is encouraged as a precaution.

Initial notification requirements
Under the Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible.
When reporting a technology or cyber security incident to OSFI, a FRFI must notify OSFI's Technology Risk Division (at TRD-DRT@osfi-bsif.gc.ca) as well as their Lead Supervisor and must do so in writing (ElectronicFootnote 1) as set out in the Incident Reporting and Resolution Form (see Appendix II). Where specific details are unavailable at the time of the initial report, the FRFI must indicate 'information not yet available.' In such cases, the FRFI must provide best estimates and all other details available at the time including their expectations of when additional information will be available.
Subsequent reporting requirements
OSFI expects FRFIs to provide regular updates (e.g., daily) as new information becomes available, and until all details about the incident have been provided.
Depending on the severity, impact and velocity of the incident, OSFI may request that a FRFI change the method and frequency of subsequent updates.
Until the incident is contained/resolved, OSFI expects FRFIs to provide situation updates, including any short term and long-term remediation actions and plans.
Following incident containment, recovery and closure, the FRFI should report to OSFI on its post-incident review and lessons learned.
Failure to report
Failure to report incidents as outlined above may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.
Appendix I – Examples of reportable incidents
The following table provides some examples of the types of reportable incidents but should not be considered an exhaustive list.

Scenario Name
Scenario Description
Impact

Cyber Attack

Account takeover botnet campaign is targeting online services using new techniques, current defenses are failing to prevent customer account compromise

High volume and velocity of attempts
Current controls are failing to block attack
Customers are locked out
Indication that customer account(s) or information has been compromised

Service Availability & Recovery

Technology failure at data center

Critical online service is down and alternate recovery option failed
Extended disruption to critical business systems and operations

Third-Party Breach

A material third party is breached, FRFI is notified that third party is investigating

Third party is designated as material to the FRFI
Impact to FRFI data is possible

Extortion Threat

FRFI has received an extortion message threatening to perpetrate a cyber attack (e.g., DDoS for Bitcoin)

Threat is credible
Probability of critical online service disruption

Appendix II – OSFI incident reporting and resolution form
FRFIs are required to report incidents to the Technology Risk Division at TRD-DRT@osfi-bsif.gc.ca as well as their Lead Supervisor using the OSFI Technology and Cyber Incident Reporting Form.
We have recently updated the Technology and Cyber Incident Reporting Form and published detailed instructions. FRFIs can continue to use the old form until March 31, 2025. As of April 1, 2025, please submit incident reports using the new form.

Footnotes

Footnote 1

If electronic means of notification are not available, notification by telephone followed by a paper submission is acceptable.
Return to footnote 1 referrer

Highlights content goes here...

Purpose
The Technology and Cyber Security Incident Reporting Advisory has been updated to support a coordinated and integrated approach to OSFI’s awareness of, and response to, technology and cyber security incidents at Federally Regulated Financial Institutions (FRFIs). This advisory replaces the current Technology and Cyber Security Incident Reporting Advisory, which was published in January 2019. The purpose is to ensure FRFIs address technology and cyber security incidents in a timely and effective manner.

The advisory requires FRFIs to provide timely notification to OSFI when incidents relating to their operations occur. This requirement should be reflected in FRFIs’ policies and procedures for dealing with technology and cyber security incidents. Incident reporting can help identify areas where FRFIs or the industry at large can take steps to proactively prevent such incidents or improve their resiliency after an incident has occurred.

Effects on Industry
The updated advisory will have several effects on the industry:

  • FRFIs must report technology and cyber security incidents to OSFI’s Technology Risk Division as well as their Lead Supervisor within 24 hours, or sooner if possible.
  • FRFIs must use the Incident Reporting and Resolution Form (see Appendix II) when reporting a technology or cyber security incident to OSFI.
  • Failure to report incidents as outlined above may result in increased supervisory oversight, including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.
  • The updated advisory will ensure that FRFIs have a clear understanding of their responsibilities and obligations regarding technology and cyber security incident reporting.

Relevant Stakeholders
The following stakeholders are affected by this update:

  • Federally Regulated Financial Institutions (FRFIs)
  • OSFI’s Technology Risk Division
  • Lead Supervisors at OSFI

These stakeholders must comply with the updated advisory to ensure effective management of technology and cyber security incidents.

Next Steps
To comply with this update, FRFIs should:

  1. Review their policies and procedures for dealing with technology and cyber security incidents.
  2. Ensure that they have a clear understanding of their responsibilities and obligations regarding incident reporting.
  3. Use the Incident Reporting and Resolution Form (see Appendix II) when reporting a technology or cyber security incident to OSFI.

FRFIs should also ensure that their Lead Supervisors are aware of their responsibilities under this update.

Any Other Relevant Information
The updated advisory is effective on April 1, 2025. FRFIs should continue using the old incident reporting form until then. After March 31, 2025, please submit incident reports using the new form.

Canadian Securities Administrators

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
$125 / month OR $1250 / year
Features
Best for: Researchers, Legal professionals, Academics
Enterprise Plan
Contact for Pricing
Features
Best for: Law Firms, Corporations, Government Bodies