With updated guidelines coming from the Office of the Superintendent of Financial Institutions (OSFI), along with the 2021 cyber security incident reporting advisory, federally regulated financial institutions have been required to disclose technology incidents beyond cybersecurity issues. This has had an impact on the negotiation of technology service agreements.
Partner and co-head of Torys’ Technology Contracting practice Joel Ramsey told Lexpert in its Special Edition on Technology and Health Sciences that he thinks it’s OFSI looking at just how reliant the industry is on technology provided by third parties—and [concluding] that reportable incidents can’t just be about cyber breaches.
A good example is debit, credit, and other electronic payments systems going down, and their impact on financial institutions and their customers.
“Most people don’t have a lot of cash in their pockets these days, and it can really have an impact, even though it may not necessarily be a cybersecurity or privacy breach,” Joel said.
Lexpert reported that the advisory has changed its standard for reporting security incidents to OSFI, which has also affected contract terms. Joel commented that one way to negotiate these contracts is to determine what levels of service and response parties need for distinct system aspects and then build in the service packages to reflect different situations.
“One good thing about the Canadian regulatory environment is that it encourages a risked-based approach to assessing and implementing guidelines that accommodates different service levels,” he added.
You can read more about our Technology Contracting work on our practice page.
Press Contact
Richard Coombs | Senior Manager, Marketing
416.865.3815