Publication
“AI and sustainability - cure or curse?”
While AI can help resolve data issues in sustainable investing, it can create problems such as information breaches and inherent bias in data.
Author:
Canada | Publication | August 23, 2021
On August 13, the Office of the Superintendent of Financial Institutions (OSFI) released an updated Technology and Cyber Security Incident Reporting Advisory (the Advisory) and new requirements for the Cyber Security Self-Assessment. These changes are both effective immediately. The updates aim to enhance OSFI’s awareness and response to technology and cyber security incidents at federally regulated financial institutions (FRFIs).
Part one of this update will discuss the changes in the Advisory, notably reducing the initial reporting period and broadening the notion of reportable incident. An upcoming part two will tackle the self-assessment tool provided by OSFI, which is seeing its first changes since 2013.
OSFI recommends FRFIs define priority and severity levels within the organization’s internal incident management framework. While it does not provide a model framework, the Advisory contains an updated list of characteristics indicative of a reportable incident, including but not limited to:
OSFI also provides examples of reportable incidents, which include cyber attacks, technology failure at data centers, third-party breaches and extortion threats. For incidents that do not contain these characteristics or fall into one of these scenarios, the FRFI is encouraged to consult its designated lead supervisor and notify OSFI as a precautionary measure.
OSFI’s Advisory highlights the importance of incident reporting by FRFIs when faced with a technology or cyber security incident. If faced with an incident, FRFIs should use this opportunity to update and strengthen their policies and procedures to ensure they and the industry at large are better equipped to proactively prevent such incidents from occurring in the future.
When an incident happens, the FRFI needs to keep in mind its reporting obligations. FRFIs must first report an incident to OSFI within 24 hours, and keep in mind the broader definition of what is now considered a reportable incident. This preliminary report should be done promptly via the form provided by OSFI.
FRFIs should also provide regular updates to OSFI on the incident as new information becomes available, as well as situation updates, which include any short- and long-term remediation actions and plans. Additionally, a post-incident review should be submitted to OSFI once an incident has been contained.
The authors wish to thank articling students Marisa Kwan and Roxanne Caron for their help in preparing this legal update.
Publication
While AI can help resolve data issues in sustainable investing, it can create problems such as information breaches and inherent bias in data.
Publication
In this edition of Regulation Around the World we review recent steps that financial services regulatory authorities have taken as regards investment research.
Publication
Our Asia Competition Law facts sheets provide insights into the main competition law regimes across Asia, reflecting the experience and reach of our Asia competition team in an ever changing and increasingly complex competition law environment.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023