Cybersecurity sits firmly among the top priorities of any financial institution. The prevention of a breach is of utmost importance, but Cyberattack reporting requirements cannot be disregarded either. A case study.
2018 was another record year for malicious hacks and data breaches. In the first six months alone over 4.5 billion records were compromised by unauthorized parties according to estimates. And the second half was equally bad: Facebook had to admit that hackers had gained access to over 30 million users’ records in September 2018; approximately 380,000 travelers who purchased plane tickets on the British Airways website and mobile app were robbed of their personal data in August, including their full credit card information; and in November, Starwood Hotels confirmed that up to 500 million hotel guests’ information had been stolen in a data breach.
Lloyds bank has warned that the damage of a serious cyberattack could cost the global economy $120 billion. Which would be worse than the loss incurred by natural disasters like the hurricanes Katrina and Sandy.
No wonder that cybersecurity sits firmly among the top priorities of any financial institution. The prevention of a breach is of utmost importance, but cyberattack reporting in case of an incident should be part of any organisational procedures that seek to establish a framework for preventing and handling cyber incidents. The reality is different though: attacks often remain undetected for months in most cases (Starwood Hotels in the case mentioned above had to admit that while the data breach was detected on September 10th, it could date back to 2014) and when they are addressed, the rectification of the issue in many cases causes new problems. In a hurry to fix the situation, firms often make things worse, as told by the BBC. With that in mind it might be understandable if you forget about your reporting obligations. But you shouldn’t.
Sunday marked the go live date of the Technology and Cyber Security Incident Reporting standards issued by the Canadian regulator OSFI, so this might be a good time to review your procedures and check whether they are in line with these obligations and those of other regulators.
First of all, the rules apply to all federally regulated financial institutions (“FRFI”). So, if you or, for example, another part of your banking group is overseen by the Canadian authorities, you will need to adhere to this advisory. But even if you’re not, we urge you to continue reading.
As a starting point, OSFI has issued Cyber Security Self-Assessment Guidance. This template, similar to other self-assessment tools is a procedure to measure the current level of preparedness, and to develop and maintain effective cyber security practices. The new guidance also provides characteristics of what constitutes an incident that needs to be reported:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
If an incident falls within these categories, swift action is required and not only to seal the hole in your defences, but to contact the firm’s supervisor as promptly as possible, but no later than 72 hours in writing. Such a report would need to consist of best known estimates and all other details available at the time and include the following:
- Date and time the incident was assessed to be material;
- Date and time/period the incident took place;
- Incident severity;
- Incident type (e.g. DDoS, malware, data breach, extortion);
- Incident description, including:
- known direct/indirect impacts (quantifiable and non-quantifiable) including privacy and financial;
- known impact to one or more business segment, business unit, line of business or regions, including any third party involved;
- whether incident originated at a third party, or has impact on third party services, and
- the number of clients impacted.
- Primary method used to identify the incident;
- Current status of incident;
- Date for internal incident escalation to senior management or Board of Directors;
- Mitigation actions taken or planned;
- Known or suspected root cause;
- Name and contact information for the FRFI incident executive lead and liaison with OSFI.
The regulator than expects firms to provide regular updates, including any short term and long term remediation actions and plans, as new information becomes available, and until all material details about the incident have been provided. The document also sets out that depending on the severity, impact and velocity of the incident, the supervisor may request that a firm changes the method and frequency of subsequent updates. It also requires firms to produce a final report following the incident containment, recovery and closure, with a post incident review and lessons learned.
Remember that we urged you above to continue reading even if you might not be subject to these standards as neither your firm or any part of group structure are regulated in Canada? The reason we suggested that you nonetheless evaluate your own structure against these rules is that the OSFI guidance is only the latest in a series of similar documents published on the matter and most regulators around the world set equivalent levels. The UK’s FCA, for instance, in March reminded firms that under Principle 11 of the FCA Handbook they must report material cyber incidents. The German watchdog BaFinissued its standards and requirements in 2017 and conducted extensive stress testing last year in the insurance sector. The list goes on and certainly will your home regulator have comparable requirements.
But if you were still in doubt whether the reporting part should receive your undivided attention, consider this: Under the GDPR, the maximum fine for a company data breach is 4% of worldwide turnover as most of us have heard of by now – and guess what is one of the key criteria for determining the amount of a fine? Exactly: the aspect of notification, i.e. whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party. I don’t know what your annual turnover is, but 4% sounds an awful lot to me.