How to Report a Major Information Security Incident to BCFSA
The BC Financial Services Authority (BCFSA) requires certain protocol to be followed in the event of a major incident involving a data breach. All Provincially Incorporated Financial Institutions (PRFIs) must identify the impacts of the breach on their organization (including their members, users, consumers, or the general public) and determine whether it is considered to be a major incident.
Should the event be deemed a major incident, PRFIs are expected to comply with the following step:
After a major incident, a PFRI should inform their BCFSA Relationship Managers as soon as possible.
As soon as possible, but within 72 hours of a major event, the PFRI should provide the BCFSA Relationship Manager with an incident report.
While the communication requirements are outlined between the PRFI and the BCFSA, it still may be unclear what is expected to be included in the incident report.
Detailed Incident Reporting Template
At the time of a major incident, not all details may be available as an organization will understandably be reacting to the incident in real-time. In this case, the PRFI should indicate ‘information not yet available’ in their response. Best known estimates and all other details, that are available, can be provided in the report.
What to include in your initial report:
Date and time the incident was assessed to be material.
date and time/period in which the incident took place.
Incident severity.
Incident type (for example, internal breach, malware, data breach, extortion, etc.).
Incident description, including: o known direct/indirect impacts (quantifiable and non-quantifiable) including privacy and financial.
Known impact to one or more business segment, business unit, line of business or regions, including any third party involved.
Whether the incident originated at a third party or has an impact on third party services, and;
The number of clients impacted.
Primary method used to identify the incident.
Current status of incident.
Date for internal incident escalation to senior management or Board of Directors.
Mitigation actions taken or planned.
Known or suspected root cause.
Name and contact information for the PRFI incident executive lead and liaison with the BCFSA.
Following the initial report
PRFIs will be required to provide regular updates to the BCFSA on a daily basis, or more frequently if new information becomes available. These reports will be ongoing as necessary until all material details of the incident have been provided.
Ongoing communication with the BCFSA Relationship Manager will be required until the incident is considered to be contained/resolved. The PRFI will be required to produce information such as:
Short term/Long term remediation action plans.
Incident containment, recovery, and closure updates.\
Upon conclusion of the incident – a post incident review and lessons learned will be required.
The BCFSA Relationship Manager may request changes to the frequency of the subsequent updates depending on the ongoing severity, impact, and velocity of the incident.
BCFSA IS Guideline: What you need to know - Read more here
Knowing when to report an IS Incident to the BCFSA - Read more here
Do you need help with the BCFSA Information Security Guideline?
Navigating the requirements of the BCFSA guideline can be difficult, call us today and find out how we can help create an IS Risk Management Framework to keep your organization and your clients secure.
Book Your Free Consultation Today!
About happier IT
Financial Institutes across Canada trust happier IT as an industry IT expert. Our proven track record is led by experience and understanding of the technical challenges that FIs of all sizes face and how guidelines vary by province. From innovative banking technologies to compliance standards and helping to enhance member experiences, happier IT is a true IT partner to FIs nationwide.
Questions on Compliance? Call us today: 1-888-974-2779