Mitigate Your Cyber Risk with New Guidance from OSFI

Authors: Kristél Kriel, Nathan Schissel, Adam Lakusta

Canadian financial institutions maintain highly sensitive personal and other information and are experiencing an increase in sophisticated cyberattacks. Recent guidance from the Office of the Superintendent of Financial Intuitions (OSFI) provides helpful insights to financial institutions on mitigating cyber risks and reporting cyber incidents.

New Advisory and Tools for Organizations within the Financial Sector

To help address the elevated threat of cyberattacks and their impact on businesses and the financial sector, OSFI has released updated documents including a Cyber Security Self-Assessment tool and Incident Reporting Advisory.

The assessment tool allows financial institutions to assess their level of cyber preparedness in order to develop and maintain effective cybersecurity practices, while the advisory provides a set of steps to be taken in the event of cybersecurity incidents. Despite being directed toward federally regulated financial institutions, both tools provide helpful insights for all organizations in the financial sector.

The assessment tool helps organizations prepare and improve their cybersecurity by offering a checklist of security-related systems and describing the best practices for ensuring the systems are ideally configured. The tool provides guidance relating to governance, detection, defence, response, recovery, post-incident learning and the management of third-party providers. The assessment tool will be refreshed regularly and is intended to supplement forthcoming guidance from OSFI.

The advisory requires financial institutions to follow certain steps, such as reporting cybersecurity incidents to OSFI within 24 hours, or sooner if possible. Such reports must be in writing and provide specific details. While the security incident is ongoing, financial institutions are further required to provide daily updates until all of the information regarding the incident has been shared. Following the incident, OSFI requires financial institutions to perform a post-incident review, including lessons learned. Failure to report cybersecurity incidents may result in increased supervisory oversight, including enhanced monitoring activities, watch-listing and staging of the financial institution.

Examples of reportable incidents include cyberattacks that result in customer accounts being compromised, as well as credible extortion threats to carry out a cyberattack.


As part of a critical sector of the Canadian economy, financial institutions and organizations within the financial sector must remain vigilant in addressing cybersecurity risks. The tools provided by OSFI can help organizations mitigate these risks.

Please contact our privacy and cybersecurity team for assistance with reviewing your organization’s cybersecurity program or responding to cybersecurity incidents.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.