Knowing When to Report an Information Security Incident to the BCFSA
The BC Financial Services Authority (BCFSA) Information Security (IS) Guideline now requires Provincially Incorporated Financial Institutes (PRFIs) to develop unique and complex frameworks for Managing IS Risk and data governance within their organizations.
In the guideline, specific communication requirements have been established by the BCFSA in the event of a major incident:
After a major incident, a PFRI should inform their BCFSA Relationship Managers as soon as possible.
As soon as possible, but within 72 hours of a major event, the PFRI should provide the BCFSA Relationship Manager with an incident report.
The BCFSA IS Risk Management Framework mandates that an incident, “should be of a certain degree of severity” before a PRFI reports it to the BCFSA.
How to Assess the Degree of Severity for Major Incidents
Much like when a PFRI creates their unique BCFSA IS Framework, the PFRI must determine how the organization itself is impacted by the incident as different types of PFRIs will experience a varying level of impact based on the type and size of the incident. Across the board, the BCFSA defines a major incident as one that will have an impact on the PRFI’s “members, users, consumers, or the general public.”
To help PFRI’s understand how the severity of the incident impacts their organization, the BCFSA has provided the following questions to consider.
Is this an incident that:
a) has been reported, or is reasonably expected to be reported, to the press or to the organization's members, users, or participating organizations with potential for a negative reputational impact?
b) staff would, in the normal course of operations, escalate the matter to or inform those in senior management ultimately accountable for technology?
c) cause the organization to operate from a backup system or site?
d) results in significant operational impacts to key/critical information systems or data?
e) materially affects a PRFI’s operational or customer data, including confidentiality, integrity, or availability of such data?
f) has a significant operational impact on internal users that is material to clients or business operations?
g) causes significant levels of system/service disruptions to critical business systems?
h) is affecting a significant or growing number of external customers?
i) will have a material impact on critical deadlines/obligations in financial market settlement or payment systems (e.g. Financial Market Infrastructure)?
j) may have a significant impact on a third party?
k) has been reported to other regulatory or other authorities?
While answering “yes” to one or more of these questions may signify a major incident, the BCFSA has also provided a table of examples to further clarify what a major incident consists of.
Examples of Major Incidents
Cyber Attack
An account takeover botnet campaign is targeting online services using new techniques, and current defenses are failing to prevent customer account compromise.
High volume and velocity of attempts.
Current controls are failing to block attack.
Customers are locked out.
Indication that accounts have been compromised.
Service Availability & Recovery
There is a technology failure at a data centre.
Critical online service is down, and the alternate recovery option failed.
Extended disruption to critical business systems and operations.
Third Party Breach
A material third party’s system is breached, and the PRFI is notified that the third party is investigating.
Third party is designated as material to the PRFI.
Material impact to PRFI data is possible.
Extortion Threat
A PRFI has received an extortion message threatening to perpetrate a cyber-attack (e.g. Distributed Denial of Service attack unless a Bitcoin payment is received).
Threat is credible.
Probability of critical online service disruption.
Internal Breach
An employee or contractor has intentionally or inadvertently caused sensitive data to be accessed destroyed, modified, or made inaccessible.
Indications that accounts have been compromised.
While major incidents are not limited to the above list, it is important for PRFIs to pre-establish best practices and consider what types of incidents will fall into the category.
Enlisting 3rd party managed information services and implementing layered cyber security initiatives can not only help mitigate the risks of major incidents but they can also help with more efficient incident response times, initiate remediation tactics, and create a more resilient IS environment.
How to Report a Major IS Incident to the BCFSA - Read more here
BCFSA IS Guideline: What you need to know - Read more here
Do you need help with the BCFSA Information Security Guideline?
Navigating the requirements of the BCFSA guideline can be difficult, call us today and find out how we can help create an IS Risk Management Framework to keep your organization and your clients secure.
Book Your Free Consultation Today!
About happier IT
Financial Institutes across Canada trust happier IT as an industry IT expert. Our proven track record is led by experience and understanding of the technical challenges that FIs of all sizes face and how guidelines vary by province. From innovative banking technologies to compliance standards and helping to enhance member experiences, happier IT is a true IT partner to FIs nationwide.
Questions on Compliance? Call us today: 1-888-974-2779