Canada’s banking regulator recently updated its Technology and Cyber Security Incident Reporting requirements for financial institutions to disclose and report cybersecurity incidents. And, for the first time since 2013, it updated its Cyber Security Self-Assessment tool. Both releases from the Office of the Superintendent of Financial Institutions (OFSI) offer all organizations valuable strategies to improve privacy, cybersecurity breach responses, and the resilience of IT systems.
Financial institutions must report technology or cybersecurity incidents to OSFI as soon as possible and within 24 hours. This is a more stringent reporting timeline (previously, 72 hours). It is more rigorous than
PIPEDA, which has no reporting deadline and instead requires reporting of security breaches “as soon as feasible after the organization determines that the breach has occurred”. The General Data Protection Regulation (GDPR) requires reporting within 72 hours.
OSFI’s Technology and Cyber Incident Report form includes dropdown lists and fields which act as prompts to consider or define various cybersecurity issues. For instance, dropdown lists categorize the type of incident, whether ransomware, phishing, Distributed Denial of Services (DDoS), or other attacks. Form fields ask if the organization has reported to or engaged law enforcement, insurers, a breach coach, or forensic firms as reminders of others who should be involved or notified after a cyber incident.
A breach coach, which is an increasingly prevalent role as cyber incidents proliferate, is the main point of contact, coordinator, project manager, and advisor for the organization after a suspected or confirmed cyber incident. The breach coach is often a lawyer that specializes in cybersecurity and privacy law.
OFSI’s reporting requirements extend beyond cyber attacks and include events that could disrupt business systems and operations, including a loss of utility or data centre outages.
First Reference’s internal control library, which includes Information Technology Policy Pro, Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, and Not-for-Profit PolicyPro, address privacy and regulatory reporting and notification requirements under PIPEDA and best practices in policies entitled Confidentiality and Managing a Security Breach.
OFSI’s Cyber Security Self-Assessment tool helps organizations to evaluate and strengthen their cybersecurity frameworks. Five aspects of the Cyber Security Self-Assessment tool are interesting, namely its:
- Focus on governance;
- Consistency with the Cybersecurity Framework from the National Institute of Standards and Technology (NIST);
- Featuring sections entitled “Learn” and “Third Party Providers”; and
- Reference to lines of defense in the protection of IT systems.
The first section of the tool focuses on governance activities, including risk assessment and developing cyber risk strategies and policies. Critical organizational functions depend on board or governance level involvement for their success, so it is vital that this is where the tool begins. This governance approach to controls permeates First Reference’s internal control library.
The self-assessment tool includes sections for the five core, high-level functions in NIST’s Cybersecurity Framework, namely:
- Identify – Identify and understand the organization’s systems, assets, data, and capabilities.
- Protect – (OFSI’s “Defend”) – Develop and implement safeguards to mitigate cyber risks, including those related to access control, awareness and training, data security, and maintenance and protective technology.
- Detect – Develop and implement policies and procedures to identify cyber incidents, including continuous security monitoring, detection processes, and identifying system anomalies and events.
- Respond – Take corrective actions in response to a cyber incident. Organizations need procedures for response planning, communications, analysis, mitigation, improvements, and other responses.
- Recover – Recovery procedures will help organizations resume normal or safe operations after a cyber incident. Procedures include those that address recovery planning, implementing improvements and communications.
But OFSI adds two other sections to the self-assessment tool—thereby highlighting them—namely:
- Learn – Organizations must continuously review and improve their IT systems and focus on security education for employees, customers, and other stakeholders. These individual sections are essential. (NIST includes them, for instance, in its Respond and Protect functions). The cyber threat landscape is constantly evolving, necessitating continuous reviews, adapting, and improvements. Employees and other insiders are some of the weakest cybersecurity links, so training and awareness programs are critical.
- Third party Providers – Other stakeholders and business partners can pose serious threats, notwithstanding an entity’s own internal controls. This section addresses controls over cloud service providers and other third parties who can impact an organization’s cybersecurity. As an example, this section assesses whether organizations require audit certifications or other independent assurances of a third party’s controls.
Policies on Cybersecurity in First Reference’s internal control library address the above core functions which NIST and OFSI identify.
Finally, the self-assessment tool refers to roles and responsibilities for all three lines of defense in a cyber risk framework. In a perfect world, internal controls would be 100% effective once implemented. In reality, organizations need multiple lines of defense or barriers against the risk that their internal controls will fail and, with that failure, prevent organizations from achieving objectives. The internal audit function is the last of three lines of defense recommended by the Institute of Internal Auditors (IIA) in its updated (2020) Three Lines Model.
Operational management is the first line of defense. These are the departments responsible for carrying out, supervising, and controlling daily or front-line functions, consistent with the organization’s internal controls. Risk and compliance functions, such as privacy and compliance roles, are the second line of defense, monitoring the adequacy and effectiveness of operational management. Both lines are accountable to senior management.
The third and last line of defense is the internal audit function. Internal audit’s unique role is to provide the board with objective and independent assessments of whether the other two lines of defense are operating effectively.
The policies in First Reference’s internal control library promote the three lines model, for instance, in Finance and Accounting PolicyPro in GV 1.08 – Relationship with Internal Auditors, Operations and Marketing PolicyPro in OP 5.12 – Internal EMS Audits, and Information Technology PolicyPro in IT 7.03 – Internal Audits.
Meeting your duty of care
Implement and maintain effective cybersecurity policies to prevent, and if that fails, identify, respond to, and learn from cyber incidents. Board governance is essential, as are the three lines of defense that will strengthen internal controls. Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, Operations and Marketing PolicyPro, and Information Technology PolicyPro here.