Breaking Down the BCFSA IS Guideline: What your Financial Institution Needs To Know
As you may have heard the BC Financial Services Authority (BCFSA) has established an outline of principles and best practices that all regulated entities will be expected to employ. The primary focus is to provide a framework of expectations, including consequences, to help mitigate any current and future Information Security (IS) Risks that pose a threat to the BCFSA, consumers and other Provincially Incorporated Financial Institutions (PRFIs).
The financial sector experienced the highest number of malicious cyber incidents and privacy and lost data incidents of any sector (Bank of Canada)
What is an Information Security Risk?
The BCFSA defines IS Risks as “unauthorized, illegal, or accidental use, disclosure or destruction of data, or impairment of network systems (information security incidents), which can cause serious harm to consumers and significant financial and reputational damage to regulated entities.” The guideline continues to state, “The risk of unauthorized or illegal access to sensitive information or systems can come from employees, consultants and others within the organization or external threat actors.”
What organizations need to be aware of is that the BCFSA is clearly including any human error, whether intentional or unintentional, not just limiting IS Risks to cyber-criminal activity and bad actors.
The BCFSA expects full compliance and data security at all times as these principles are intended to cover all types of data, regardless of where the data is generated (internal or external communications) and how the data is stored/accessed (onsite, offsite, or via cloud services).
What You Need to Know About the Guidelines
While this may seem like a lot to digest, the guidelines are intended to create a high-level framework that protects the various types of regulated bodies from enduring the consequences of a data breach including leaked or stolen data, financial & reputational damages, penalties & fines, or even systemwide shutdowns.
The guidelines acknowledge the varying degree of risk that different classifications of PRFIs will likely be facing. There is even a separate Outsourcing Guideline to address third party information system management services.
The Framework
Each PRFI is expected to, “establish and document an effective IS risk management framework, which should be approved by the Board of Directors and reviewed at least once a year by senior management.”
The objective of this framework is to highlight the security measures that will be used to mitigate IS Risks within the organization and how they will be fully integrated into risk management processes.
This is where PRFIs will need to:
Perform an internal risk assessment.
Establish plans of how their organization intends to identify, monitor, and protect against IS threats.
Create parameters for testing and measuring effectiveness of supporting, protecting, and, if necessary, re-establishing the integrity of operations and confidentiality.
Outline internal control methods to ensure ongoing compliance.
Overall, it is expected that governance will fall on the shoulders of the Board of Directors and Senior Management. Included within governance are the responsibilities for overseeing the management of IS Risks and how each department/party will be expected to help the organization remain compliant and respond to and remediate any incidents.
“Malicious and privacy incidents are more frequent, but implementation errors cost more” (Bank of Canada)
Identify, Protect, Detect, Respond, Recover
Each PRFI will need to identify factors that will cultivate the distinct grounds for their unique framework, such as risk appetite as well as the nature, scope and complexity of their organizational data. With this in mind, the BCFSA’s guideline identifies five elements to create the framework:
Identify –PRFIs are expected to fully understand and analyze the risks that must be considered with the systems, people, assets, data and capabilities within the organization. This extends beyond the internal organization and includes IS risk pertaining to 3rd party suppliers, partners and even personal devices and other areas that could potentially impact the organization’s operations and customers.
Protect – Protection is the obvious inclusion to this list. What isn’t obvious is how institutional data and systems will be protected. Each measure must be appropriate to the sensitivity level of the data and systems that are involved. Here is where documentation, best practices, cyber security layers and other compliance measures should be listed and enforced.
Detect – The monitoring process is key to prevention and not only should it entail how quickly an organization is able to act but what steps the organization will need to take in order to effectively control the outcome of a data breach or incident.
Respond – Estimated response times, action taken, and the process of reporting will be implemented in this section of the framework. Identifying what is an appropriate course of action to varying circumstances will help determine the effectiveness and efficiency of the organization’s responses in real-time.
Recover- Most cyber security experts say that it is not a matter of IF, but rather a matter of WHEN an organization will be targeted by cybercriminals. For this reason, resilience plans need to be maintained, updated and compliant with the ever evolving requirements on breach laws from inside and outside (insurance qualifiers, national breach reporting laws, etc.) the industry.
Communication With the Regulator
Finally, in the event of a major incident, all PRFIs are expected to maintain communication with the BCFSA.
If a major incident occurs:
Inform your BCFSA Relationship Manager as soon as possible.
No later than 72 hours after the discovery of the major incident, provide an incident report to your BCFSA Relationship Manager.
The bottom line is that all PRFIs need to be aware of how data is generated, stored and accessed within their organizations in order create the framework for how internal risk management will be handled.
Knowing When to Report an IS Incident to the BCFSA - Read more here
How to Report an IS Incident to the BCFSA - Read more here
Do you need help with the BCFSA Information Security Guideline?
Navigating the requirements of the BCFSA guideline can be difficult, call us today and find out how we can help create an IS Risk Management Framework to keep your organization and your clients secure.
Book Your Free Consultation Today!
About happier IT
Financial Institutions across Canada trust happier IT as an industry IT expert. Our proven track record is led by experience and understanding of the technical challenges that FIs of all sizes face and how guidelines vary by province. From innovative banking technologies to compliance standards and helping to enhance member experiences, happier IT is a true IT partner to FIs nationwide.
Questions on Compliance? Call us today: 1-888-974-2779